/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VM firewall: option to 'reject' output packets instead of 'drop' #3607

Closed
taradiddles opened this Issue Feb 19, 2018 · 11 comments

Comments

Assignees

@marmarek marmarek

Labels
Projects
None yet
Milestone
  Release 4.1
7 participants
@taradiddles @adrelanos @marmarek @DemiMarie @donob4n @qubesos-bot @andrewdavidwong
@taradiddles

taradiddles commented Feb 19, 2018

Qubes OS version:

R4.x

Proposed enhancement

Implement an option to reject a VM's outgoing packets instead of dropping them, for VMs with "whitelist" firewalls (= "limit connections to..." in the gui).

The rationale behind rejecting out packets instead of dropping them is to avoid:

  • having to wait for tcp timeouts to find out that there's no network connectivity to a given address
  • breaking functionality of sites that load unwanted (= not whitelisted) third-party sites in a blocking way. When dropping packets the sites become functional only after the tcp/http request timeouts. The 'manager' site of the Linode cloud provider for instance falls into this category: the site tries to load a third-party support site and the login page and other functionality appear only when the http request to the support site timeouts.

Note: rejecting packets means sending icmp unreachable or tcp reset packets from the FirewallVM back to the originating VM ; I don't see how this would increase the attack surface on the FirewallVM (how would the reject packets be different than - say - fragmentation neeeded packets ?). But this should be given some thoughts if the option is to be implemented.

BTW I tried to implement this 'reject' functionality in the various qubes firewall.py files (admin, tests, ...) but I keep on getting errors so I must be missing something.

Workaround: in the VM's network VM (eg. sys-firewall), insert an nft reject rule at the appropriate position. For instance, add a rule for the VM with ip 10.137.0.7 at handle 22 before the catch-all 'drop' target (the handle number is determined by nft list table qubes-firewall -a):

nft insert rule ip qubes-firewall qbs-10-137-0-7 position 22 reject
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Feb 19, 2018

Member
Member

adrelanos commented Feb 19, 2018

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Feb 19, 2018

Member

👍 for reject on output
Member

marmarek commented Feb 19, 2018

👍 for reject on output

@marmarek marmarek self-assigned this Feb 19, 2018

@marmarek marmarek added enhancement C: core P: minor labels Feb 19, 2018

@marmarek marmarek added this to the Release 4.0 milestone Feb 19, 2018

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Feb 27, 2018

Member

I wonder if this should be the only option - i.e. replace the current "drop" rule. Or make it configurable?
Member

marmarek commented Feb 27, 2018

I wonder if this should be the only option - i.e. replace the current "drop" rule. Or make it configurable?
@DemiMarie

This comment has been minimized.

Show comment
Hide comment
@DemiMarie

DemiMarie Feb 28, 2018

@marmarek I think it should. It is much more user-friendly and just as secure.

DemiMarie commented Feb 28, 2018

@marmarek I think it should. It is much more user-friendly and just as secure.
@donob4n

This comment has been minimized.

Show comment
Hide comment
@donob4n

donob4n Mar 1, 2018

In my opinion only reject would be fine.

donob4n commented Mar 1, 2018

In my opinion only reject would be fine.

@andrewdavidwong andrewdavidwong modified the milestones: Release 4.0, Release 4.1 Mar 31, 2018

@marmarek marmarek closed this in QubesOS/qubes-core-agent-linux@a026d04 May 2, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot May 2, 2018

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented May 2, 2018

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-centos7-cur-test label May 2, 2018

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status May 2, 2018

Closed

core-agent-linux v4.0.27 (r4.0) #496

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot May 2, 2018

Automated announcement from builder-github

The component core-agent-linux (including package python2-dnf-plugins-qubes-hooks-4.0.27-1.fc26) has been pushed to the r4.0 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented May 2, 2018

Automated announcement from builder-github

The component core-agent-linux (including package python2-dnf-plugins-qubes-hooks-4.0.27-1.fc26) has been pushed to the r4.0 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-fc26-cur-test r4.0-fc27-cur-test r4.0-buster-cur-test r4.0-jessie-cur-test labels May 2, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot May 2, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.27-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented May 2, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.27-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-stretch-cur-test label May 2, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot May 21, 2018

Automated announcement from builder-github

The component core-agent-linux (including package python2-dnf-plugins-qubes-hooks-4.0.28-1.fc26) has been pushed to the r4.0 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

qubesos-bot commented May 21, 2018

Automated announcement from builder-github

The component core-agent-linux (including package python2-dnf-plugins-qubes-hooks-4.0.28-1.fc26) has been pushed to the r4.0 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot qubesos-bot removed the r4.0-fc26-cur-test label May 21, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot May 21, 2018

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 stable repository for the Fedora centos7 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

qubesos-bot commented May 21, 2018

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 stable repository for the Fedora centos7 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-fc26-stable r4.0-centos7-stable r4.0-buster-stable r4.0-jessie-stable and removed r4.0-centos7-cur-test r4.0-buster-cur-test r4.0-jessie-cur-test labels May 21, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot May 21, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.28-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented May 21, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.28-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-stretch-stable and removed r4.0-stretch-cur-test labels May 21, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment