/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firewallvm logic should be more defensive #311

Closed
marmarek opened this Issue Mar 8, 2015 · 3 comments

Comments

Assignees

@rootkovska rootkovska

Labels
Projects
None yet
Milestone
  Release 1 Beta 2
2 participants
@marmarek @rootkovska
@marmarek
Member

marmarek commented Mar 8, 2015

Reported by joanna on 25 Jul 2011 08:11 UTC
The common problem I'm encountering for quite a while is when I start a new AppVM and there is momentarily a problem with internet connectivity (due to some unrelated reasons, e.g. poor 3G coverage, etc). In that case the firewall loading logic exits with error if I have some DNS names used in some firewall policies for some AppVMs. This results in lack of connectivity for all AppVMs in the system.

We should make this more resilient -- e.g. load rules one by one and so that if DNS is not avilable at the moment of loading, only the very rules that use DNS names should not be loaded, while others should.

Migrated-From: https://wiki.qubes-os.org/ticket/311

@marmarek marmarek assigned rootkovska Mar 8, 2015

@marmarek marmarek added this to the Release 1 Beta 2 milestone Mar 8, 2015

@marmarek marmarek added bug C: core P: major labels Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by rafal on 26 Jul 2011 13:27 UTC
But if this rule with a DNS entry is a "deny on match" type, skipping it is unsecure ?
So perhaps we could skip "allow on match" rules (warning user), and fail at "deny on match" rules - but this will hurt functionality anyway.
It looks like the desired behaviour is:

  • if we cannot resolve a name in a firewall rule, warn and nuke net access only to a single VM, and proceed with rules for other VMs.
    Agreed ?
Member

marmarek commented Mar 8, 2015

Comment by rafal on 26 Jul 2011 13:27 UTC
But if this rule with a DNS entry is a "deny on match" type, skipping it is unsecure ?
So perhaps we could skip "allow on match" rules (warning user), and fail at "deny on match" rules - but this will hurt functionality anyway.
It looks like the desired behaviour is:

  • if we cannot resolve a name in a firewall rule, warn and nuke net access only to a single VM, and proceed with rules for other VMs.
    Agreed ?
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by joanna on 26 Jul 2011 13:36 UTC
I hardly doubt any Qubes user (i.e. an enlightened and smart person) would use DNS-based blacklisting rules...

But anyway, the policy you suggested seems reasonable.
Member

marmarek commented Mar 8, 2015

Comment by joanna on 26 Jul 2011 13:36 UTC
I hardly doubt any Qubes user (i.e. an enlightened and smart person) would use DNS-based blacklisting rules...

But anyway, the policy you suggested seems reasonable.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by rafal on 29 Jul 2011 14:58 UTC
Implemented in
http://git.qubes-os.org/?p=rafal/core.git;a=commit;h=8ecd6134d934946c7497a481ca9cf9dcca789ae2
prebeta2 branch.
Member

marmarek commented Mar 8, 2015

Comment by rafal on 29 Jul 2011 14:58 UTC
Implemented in
http://git.qubes-os.org/?p=rafal/core.git;a=commit;h=8ecd6134d934946c7497a481ca9cf9dcca789ae2
prebeta2 branch.

@marmarek marmarek closed this Mar 8, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment