Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upFirewallvm logic should be more defensive #311
Comments
marmarek
assigned
rootkovska
Mar 8, 2015
marmarek
added this to the Release 1 Beta 2 milestone
Mar 8, 2015
marmarek
added
bug
C: core
P: major
labels
Mar 8, 2015
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 8, 2015
Member
Comment by rafal on 26 Jul 2011 13:27 UTC
But if this rule with a DNS entry is a "deny on match" type, skipping it is unsecure ?
So perhaps we could skip "allow on match" rules (warning user), and fail at "deny on match" rules - but this will hurt functionality anyway.
It looks like the desired behaviour is:
- if we cannot resolve a name in a firewall rule, warn and nuke net access only to a single VM, and proceed with rules for other VMs.
Agreed ?
|
Comment by rafal on 26 Jul 2011 13:27 UTC
|
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 8, 2015
Member
Comment by joanna on 26 Jul 2011 13:36 UTC
I hardly doubt any Qubes user (i.e. an enlightened and smart person) would use DNS-based blacklisting rules...
But anyway, the policy you suggested seems reasonable.
|
Comment by joanna on 26 Jul 2011 13:36 UTC But anyway, the policy you suggested seems reasonable. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 8, 2015
Member
Comment by rafal on 29 Jul 2011 14:58 UTC
Implemented in
http://git.qubes-os.org/?p=rafal/core.git;a=commit;h=8ecd6134d934946c7497a481ca9cf9dcca789ae2
prebeta2 branch.
|
Comment by rafal on 29 Jul 2011 14:58 UTC |
marmarek commentedMar 8, 2015
Reported by joanna on 25 Jul 2011 08:11 UTC
The common problem I'm encountering for quite a while is when I start a new AppVM and there is momentarily a problem with internet connectivity (due to some unrelated reasons, e.g. poor 3G coverage, etc). In that case the firewall loading logic exits with error if I have some DNS names used in some firewall policies for some AppVMs. This results in lack of connectivity for all AppVMs in the system.
We should make this more resilient -- e.g. load rules one by one and so that if DNS is not avilable at the moment of loading, only the very rules that use DNS names should not be loaded, while others should.
Migrated-From: https://wiki.qubes-os.org/ticket/311