/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

qubes-firewall may fail to start without downstream DNS #3277

Closed
3hhh opened this Issue Nov 3, 2017 · 9 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0
3 participants
@3hhh @qubesos-bot @andrewdavidwong
@3hhh

3hhh commented Nov 3, 2017

Qubes OS version:

4.0rc2

Affected TemplateVMs:

at least debian-8 was tested, probably any

Steps to reproduce the behavior:

  1. Create a proxy or firewall VM without downstream network connectivity (let's assume there is a temporary outage).
  2. Create a new VM [client] using that proxy VM further upstream.
  3. Configure the [client] firewall to allow only access to certain hosts based on DNS hostnames using e.g. qvm-firewall.
  4. Start [client]. <-- This might require a racing condition where the [client] firewall rules are provided by dom0 to the proxyVM before the qubes-firewall service is started. It can be tested reliably by shutting down the qubes-firewall service and then starting it after [client]. It takes ~30s on my machine until the service reaches the failed state:
systemctl status qubes-firewall
● qubes-firewall.service - Qubes firewall updater
   Loaded: loaded (/lib/systemd/system/qubes-firewall.service; enabled)
   Active: failed (Result: exit-code) since Fri 2017-11-03 22:14:34 CET; 9min ago
  Process: 2145 ExecStart=/usr/sbin/qubes-firewall (code=exited, status=1/FAILURE)
 Main PID: 2145 (code=exited, status=1/FAILURE)

Nov 03 22:14:34 sys-vpn qubes-firewall[2145]: self.apply_rules(addr, rules)
Nov 03 22:14:34 sys-vpn qubes-firewall[2145]: File "/usr/lib/python2.7/dist-packages/qubesagent/firewall.py", line 337, in apply_rules
Nov 03 22:14:34 sys-vpn qubes-firewall[2145]: self.apply_rules_family(source, rules, 4)
Nov 03 22:14:34 sys-vpn qubes-firewall[2145]: File "/usr/lib/python2.7/dist-packages/qubesagent/firewall.py", line 321, in apply_rules_family
Nov 03 22:14:34 sys-vpn qubes-firewall[2145]: iptables = self.prepare_rules(chain, rules, family)
Nov 03 22:14:34 sys-vpn qubes-firewall[2145]: File "/usr/lib/python2.7/dist-packages/qubesagent/firewall.py", line 249, in prepare_rules
Nov 03 22:14:34 sys-vpn qubes-firewall[2145]: (socket.AF_INET6 if family == 6 else socket.AF_INET))
Nov 03 22:14:34 sys-vpn qubes-firewall[2145]: socket.gaierror: [Errno -3] Temporary failure in name resolution
Nov 03 22:14:34 sys-vpn systemd[1]: qubes-firewall.service: main process exited, code=exited, status=1/FAILURE
Nov 03 22:14:34 sys-vpn systemd[1]: Unit qubes-firewall.service entered failed state.

Actual behavior:

The qubes-firewall service fails to start. This results in some partial iptables rules on [client] and in combination with #3269 effectively disables the qubes-firewall. [client] will have access to whatever it wants once the connectivity is back up.

Expected behavior:

Some fallback, maybe catch the error situation during setup and block all connections on the qubes-firewall as long as there is no downstream DNS connectivity anyway. Resume the setup afterwards. As an alternative one could simply disallow DNS hostnames.

Related issues:

Fixing #3269 will partially fix this one, but still require the user to manually start the qubes-firewall service which entered a failed state.

General notes:

Qubes supports hostnames on qvm-firewall as iptables supports it.

Combining many minor security flaws tends to lead to bigger ones.

@andrewdavidwong andrewdavidwong added bug C: core labels Nov 3, 2017

@andrewdavidwong andrewdavidwong added this to the Release 4.0 milestone Nov 3, 2017

marmarek added a commit to marmarek/qubes-core-agent-linux that referenced this issue Dec 29, 2017

@marmarek
firewall: don't crash the whole qubes-firewall service on DNS fail 
If DNS resolution fails, just block the traffic (for this VM), but don't
crash the whole service.

Fixes QubesOS/qubes-issues#3277
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
Loading status checks…
3a83623

@marmarek marmarek referenced this issue in QubesOS/qubes-core-agent-linux Dec 29, 2017

Merged

firewall: don't crash the whole qubes-firewall service on DNS fail #82

@marmarek marmarek closed this in QubesOS/qubes-core-agent-linux#82 Jan 5, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 12, 2018

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented Jan 12, 2018

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update
@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 12, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.16-1+deb8u1 has been pushed to the r4.0 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Jan 12, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.16-1+deb8u1 has been pushed to the r4.0 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-centos7-cur-test r4.0-jessie-cur-test labels Jan 12, 2018

This was referenced Jan 12, 2018

Closed
Closed
@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 12, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.16-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Jan 12, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.16-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-stretch-cur-test label Jan 12, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 12, 2018

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.16-1.fc24 has been pushed to the r4.0 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented Jan 12, 2018

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.16-1.fc24 has been pushed to the r4.0 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-fc24-cur-test label Jan 12, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 12, 2018

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.16-1.fc25 has been pushed to the r4.0 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented Jan 12, 2018

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.16-1.fc25 has been pushed to the r4.0 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-fc25-cur-test label Jan 12, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 12, 2018

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.16-1.fc26 has been pushed to the r4.0 testing repository for the Fedora fc26 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented Jan 12, 2018

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.16-1.fc26 has been pushed to the r4.0 testing repository for the Fedora fc26 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-fc26-cur-test label Jan 12, 2018

@qubesos-bot qubesos-bot added r4.0-jessie-stable and removed r4.0-jessie-cur-test labels Feb 6, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Feb 6, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.20-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Feb 6, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.20-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-stretch-stable r4.0-fc24-stable r4.0-fc25-stable and removed r4.0-stretch-cur-test r4.0-fc24-cur-test r4.0-fc25-cur-test labels Feb 6, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Feb 6, 2018

Automated announcement from builder-github

The component core-agent-linux (including package python2-dnf-plugins-qubes-hooks-4.0.20-1.fc26) has been pushed to the r4.0 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

qubesos-bot commented Feb 6, 2018

Automated announcement from builder-github

The component core-agent-linux (including package python2-dnf-plugins-qubes-hooks-4.0.20-1.fc26) has been pushed to the r4.0 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-fc26-stable and removed r4.0-fc26-cur-test labels Feb 6, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Feb 6, 2018

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 stable repository for the Fedora centos7 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

qubesos-bot commented Feb 6, 2018

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 stable repository for the Fedora centos7 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-centos7-stable and removed r4.0-centos7-cur-test labels Feb 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment