New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow naming hosts and add examples to rules.ml #54
Conversation
b15b5ed
to
d826a2f
Compare
oh, this is good! i actualy have a feature/example request along these lines: this probably needs to go in from_netvm in rules.ml, and the basic idea of what i am using on a linux fw in that role currently is something like... i would be very happy with an example of how to write this hardcoded for each dest already. bonus would be to have "take the right part of the port, check if there is a downstream vm that matches" as a "dynamic rule". |
@xaki23 : we'd probably need a new So, you'd need to add some code to firewall.ml to look up a client, perhaps based on its name in the |
I've pushed a couple more commits on this branch: Add some types to the rulesBefore, we inferred the types from rules.ml and then the compiler checked that it was consistent with what firewall.ml expected. If it wasn't consistent then it reported the problem as being with firewall.ml, which could be confusing to users. Give exact types for
|
being able to use prefixes like 10.137.0.0/24 for source and destination would be a nice addition here as well |
7dbbd3a
to
ba98f89
Compare
@yomimono : I've made the (commented) example rule a bit more restrictive - now only Untrusted can reply to Dev. Does that address your concerns about it? @dakka2 : Matching whole networks sounds useful, but let's make it a separate issue. I've also added a section to the README describing the components of the firewall, plus a diagram. |
Previously we passed in the interface, from which it was possible (but a little difficult) to extract the IP address and compare with some predefined ones. Now, we allow the user to list IP addresses and named tags for them, which can be matched on easily. Added example rules showing how to block access to an external service or allow SSH between AppVMs. Requested at https://groups.google.com/d/msg/qubes-users/BnL0nZGpJOE/61HOBg1rCgAJ.
Before, we inferred the types from rules.ml and then the compiler checked that it was consistent with what firewall.ml expected. If it wasn't it reported the problem as being with firewall.ml, which could be confusing to users.
Before, the packet passed to rules.ml could have any host as its src. Now, `from_client` knows that `src` must be a `Client`, and `from_netvm` knows that `src` is `External` or `NetVM`.
In the (commented-out) example rules, instead of allowing any client to continue a TCP flow with any other client, just allow Untrusted to reply to Dev. This is all that is needed to make the SSH example work.
Previously we passed in the interface, from which it was possible (but a little difficult) to extract the IP address and compare with some predefined ones. Now, we allow the user to list IP addresses and named
tags for them, which can be matched on easily.
Added example rules showing how to block access to an external service or allow SSH between AppVMs.
Requested at https://groups.google.com/forum/#!msg/qubes-users/BnL0nZGpJOE/csngQzaGBAAJ.
Fixes #18.