Qubes Firewall - Add rules to QBS-prefixed chain

[cfcs]

It is a general nuisance that the Qubes firewall (with random intervals / triggered by random UI actions?) decides to add rules to INPUT, OUTPUT, FORWARD and the like.
This behavior makes a complete mess of any custom rules for that domain.

Having specific chains for the Qubes firewall rules would allow us to have -j RETURN targets instead of -j ACCEPT for the automatically generated rules.
The -j ACCEPT forces custom rule writers to end policies that don't permit random packets through to end the list of custom rules with -j DROP, effectively disabling the UI-set policies.

Thoughts?

[marmarek]

Those chains could be created per-VM, making customization even easier.
Additionally -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT rule could be put in such per-VM chain - to be able to cut existing connections when setting firewall to "deny" (see #1717)

[marmarek]

Those chains could be created per-VM, making customization even easier.
Additionally -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT rule could be put in such per-VM chain - to be able to cut existing connections when setting firewall to "deny" (see #1717)

[cfcs]

@marmarek: that sounds good!
Although I'm a bit wary of the RELATED selector, as it has port/protocol-specific side-effects - is that really needed?

[cfcs]

@marmarek: that sounds good!
Although I'm a bit wary of the RELATED selector, as it has port/protocol-specific side-effects - is that really needed?

[marmarek]

It is useful for example for FTP. If you want to allow only FTP output,
you need this, otherwise you'll transfer any file.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

It is useful for example for FTP. If you want to allow only FTP output,
you need this, otherwise you'll transfer any file.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[cfcs]

Yes, if you want the kernel to parse, for example, FTP.
Coming from an FTP client, the browser, or anything else that manages to trick the ring 0 parser into believing it's speaking FTP or one of the 10-20 other protocols that the kernel contains parsers for.
I'm not so sure I'd like that.

[cfcs]

Yes, if you want the kernel to parse, for example, FTP.
Coming from an FTP client, the browser, or anything else that manages to trick the ring 0 parser into believing it's speaking FTP or one of the 10-20 other protocols that the kernel contains parsers for.
I'm not so sure I'd like that.

[marmarek]

As part of #1815, this has been superseded by using nftables - which is not limited to predefined chains. New approach uses qubes-firewall table, with appropriate chains and do not modify default tables (managed by compatibility iptables tool).

[marmarek]

As part of #1815, this has been superseded by using nftables - which is not limited to predefined chains. New approach uses qubes-firewall table, with appropriate chains and do not modify default tables (managed by compatibility iptables tool).