Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow naming hosts and add examples to rules.ml #54

Merged
merged 6 commits into from May 7, 2019
Merged

Allow naming hosts and add examples to rules.ml #54

merged 6 commits into from May 7, 2019

Conversation

talex5
Copy link
Collaborator

@talex5 talex5 commented Apr 11, 2019
edited

Previously we passed in the interface, from which it was possible (but a little difficult) to extract the IP address and compare with some predefined ones. Now, we allow the user to list IP addresses and named
tags for them, which can be matched on easily.

Added example rules showing how to block access to an external service or allow SSH between AppVMs.

Requested at https://groups.google.com/forum/#!msg/qubes-users/BnL0nZGpJOE/csngQzaGBAAJ.

Fixes #18.

@talex5 talex5 force-pushed the rule-examples branch 2 times, most recently from b15b5ed to d826a2f Compare April 12, 2019 13:59
@xaki23
Copy link
Contributor

xaki23 commented Apr 16, 2019

oh, this is good!

i actualy have a feature/example request along these lines:
dnat rules. as in, port-forwards on the way in. for a dmz-fw.

this probably needs to go in from_netvm in rules.ml, and the basic idea of what i am using on a linux fw in that role currently is something like...
"if the dport (both tcp and udp) is between 12340 and 12349, nat to 10.137.0.34 on same port"
the 34 there in the port range and the inner dst ip are "the same", so ports 12880-12889 would go to 10.137.0.88.

i would be very happy with an example of how to write this hardcoded for each dest already.
(could probably come up with that with a lot of attempts thanks to the new examples)

bonus would be to have "take the right part of the port, check if there is a downstream vm that matches" as a "dynamic rule".
(and thats way outside of my ocaml comprehension. math! and string operations! except i am not even sure the dst is a string. or how to check if a clientvm exists.)

@talex5
Copy link
Collaborator Author

talex5 commented Apr 17, 2019

@xaki23 : we'd probably need a new DNAT action for that, although NAT_to might work as a hack. The main problem you'd have is that it currently expects you to give the target as a Packet.host, which for clients means giving it the client object, and you don't have access to that in rules.ml.

So, you'd need to add some code to firewall.ml to look up a client, perhaps based on its name in the clients list.

@talex5
Copy link
Collaborator Author

talex5 commented Apr 17, 2019

I've pushed a couple more commits on this branch:

Add some types to the rules

Before, we inferred the types from rules.ml and then the compiler checked that it was consistent with what firewall.ml expected. If it wasn't consistent then it reported the problem as being with firewall.ml, which could be confusing to users.

Give exact types for Packet.src

Before, the packet passed to rules.ml could have any host as its src. Now, from_client knows that src must be a Client, and from_netvm knows that src is External or NetVM.

More doc comments in rules.ml

@dakka2
Copy link

dakka2 commented Apr 27, 2019

being able to use prefixes like 10.137.0.0/24 for source and destination would be a nice addition here as well

@talex5 talex5 force-pushed the rule-examples branch 3 times, most recently from 7dbbd3a to ba98f89 Compare May 3, 2019 10:29
@talex5
Copy link
Collaborator Author

talex5 commented May 3, 2019

@yomimono : I've made the (commented) example rule a bit more restrictive - now only Untrusted can reply to Dev. Does that address your concerns about it?

@dakka2 : Matching whole networks sounds useful, but let's make it a separate issue.

I've also added a section to the README describing the components of the firewall, plus a diagram.

talex5 added 6 commits May 6, 2019 10:35
@talex5
Allow naming hosts and add examples to rules.ml
acf46b4 
Previously we passed in the interface, from which it was possible (but
a little difficult) to extract the IP address and compare with some
predefined ones. Now, we allow the user to list IP addresses and named
tags for them, which can be matched on easily.

Added example rules showing how to block access to an external service
or allow SSH between AppVMs.

Requested at
https://groups.google.com/d/msg/qubes-users/BnL0nZGpJOE/61HOBg1rCgAJ.
@talex5
Add some types to the rules
189a736 
Before, we inferred the types from rules.ml and then the compiler
checked that it was consistent with what firewall.ml expected. If it
wasn't it reported the problem as being with firewall.ml, which could be
confusing to users.
@talex5
Give exact types for Packet.src
b60d098 
Before, the packet passed to rules.ml could have any host as its src.
Now, `from_client` knows that `src` must be a `Client`, and `from_netvm`
knows that `src` is `External` or `NetVM`.
@talex5
Add overview of the main components of the firewall
eec1e98
@talex5
Make example rule more restrictive
e15fc8c 
In the (commented-out) example rules, instead of allowing any client to
continue a TCP flow with any other client, just allow Untrusted to reply
to Dev. This is all that is needed to make the SSH example work.
@talex5
Update build hash
691c4ae
@talex5 talex5 merged commit a93bb95 into mirage:master May 7, 2019
@talex5 talex5 deleted the rule-examples branch May 7, 2019 09:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

how to use / configure this?
3 participants
@talex5 @xaki23 @dakka2