R3.2 updates

This commit is contained in:
awokd 2018-02-24 09:24:08 +00:00 committed by GitHub
parent 6505111653
commit 4ab031a218
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -27,6 +27,9 @@ As a workaround, one can use a browser's network console to see what is blocked,
These drawbacks can be mitigated if one replaces iptable-based rules with a filtering HTTP proxy.
The following describes how to setup a tinyproxy-based proxy in the firewall VM to achieve such filtering.
**Note** This content only describes setup of an HTTP proxy.
This will handle web browsing using HTTP and HTTPS, but this type of proxy does not support other protocols such as IMAP used in Thunderbird.
For that, you need a fully featured proxy which is beyond the scope of this article.
Warning
-------
@ -36,7 +39,7 @@ Tinyproxy has relatively simple code and a reasonable track record to allow to c
It is not advisable to use the proxy in a shared firewall VM against untrusted AppVM to black-list some unwanted connections such as advertisement sites.
A less problematic setup is to white-list possible connections for several trusted and semi-trusted AppVMs within one firewall VM.
Still, for maximum safety one should consider running a separate firewall VM / proxy for each important AppVMs.
Still, for maximum safety one should consider running a separate proxy VM for each important AppVM.
As a counterpoint to this warning, it is important to note that an HTTP proxy decreases the attack surface of AppVMs.
For example, with a proxy the AppVM does not need to make direct DNS connections, so a bug in the kernel or in the browser in that area would not affect the AppVM.
@ -46,7 +49,7 @@ Also, browsers typically avoid many of the latest and greatest HTTP features whe
Setup
-----
1. Copy this [archive] with the proxy control script, default tinyproxy config and a sample firewall filtering file into the firewall VM and unpack it in `/rw/config` folder there as root:
1. Copy this [archive] with the proxy control script, default tinyproxy config, and a sample firewall filtering file into the firewall VM and unpack it in the `/rw/config` folder there as root:
cd /rw/config
sudo tar xzf .../proxy.tar.xz
@ -70,7 +73,7 @@ Setup
One can check the IP address of an AppVM in Qubes VM manager in the VM settings dialog; see the Networking settings under the Basic tab.
The attached archive includes a `tinyproxy/social.10.137.2.13` file with rules for an AppVM allowing connections to Google, Facebook, Linkedin, Livejournal, Youtube, and few other other sites.
One can use it as an example after changing the IP addresses accordingly.
One can use it as an example after changing the IP address accordingly.
When editing the rules, remember to include a `$` at the end of the host name, and to prefix each dot in the host name with a backslash (like `\.`).
This way, the pattern matches the whole host and not just a prefix, and the dot is not interpreted as an instruction to match an arbitrary character according to regular expression syntax.
@ -82,9 +85,9 @@ Setup
For each rule file it should print the name, ip address, and network interface of the running AppVMs.
It will also display the id of the tinyproxy process that proxies that AppVM.
The first time, each pid should be `--`.
Each pid will be `--` because we have no running proxies yet.
5. Now run some AppVM with a proxy, and then run:
5. Now, start the AppVM for which you created a rule file, and then run:
sudo /rw/config/tinyproxy/proxyctl.py update
@ -96,7 +99,7 @@ Setup
sudo /rw/config/tinyproxy/proxyctl.py show
6. Run the browser in the active AppVM and configure it to use the proxy on port 8100 of the firewall VM gateway interface's IP address.
In Qubes VM manager, the IP address is displayed in the Gateway field in the Settings dialog for the firewall VM.
In Qubes VM manager, the IP address is displayed in the Gateway field in the Settings dialog for the AppVM.
In Firefox, go to the Preferences dialog, select Advanced->Network, and click Settings for the Connection section.
In the Connection Settings dialog, select Manual proxy configuration. For the HTTP Proxy field use the IP address of the firewall gateway interface.
@ -105,11 +108,11 @@ Setup
Go to a test web site.
The browser should either load it (if it was white-listed in the filtering file), or show a page generated by tinyproxy that the page was filtered out.
In the firewall VM, see the `/run/tinyproxy/name/log` file.
In the firewall VM, see the `/run/tinyproxy/<name>/log` file.
For each filtered out website it contains an entry, and one can adjust the filtering file to include the corresponding host.
After changing the file, run either:
sudo /rw/config/tinyproxy/proxyctl.py restart name
sudo /rw/config/tinyproxy/proxyctl.py restart <name>
to restart the proxy with an updated rules file only for the given VM, or
@ -123,7 +126,7 @@ Setup
If the file does not exist, create it so it looks like this:
#!/usr/bin/bash
#!/bin/sh
/rw/config/tinyproxy/proxyctl.py update
Make sure that the script is owned by root and executable:
@ -132,7 +135,7 @@ Setup
sudo chmod 755 /rw/config/qubes-firewall-user-script
8. In Qubes VM manager, adjust the Firewall rules for each AppVM with a proxy.
In a typical case, when only an HTTP proxy should be permitted for outside connections, simply select "Deny network access except...", make sure that the address list is empty, and then unselect the "Allow ICMP," "DNS", and "Update proxy" checkboxes.
In a typical case, when only the HTTP proxy should be permitted for outside connections, simply select "Deny network access except...", make sure that the address list is empty, and then unselect the "Allow ICMP," "DNS", and "Update proxy" checkboxes.
There is no need to add any special entries for the proxy in the GUI as `proxyctl.py` adds rules for the proxy traffic itself.