Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-10-01 01:25:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Make firewall rules spec more precise

Browse Source 
Define options order and explicitly forbid duplicates.
This commit is contained in:
Marek Marczykowski-Górecki 2018-02-11 19:46:01 +01:00
parent 37523d315a
commit 89ecd9a8fe
No known key found for this signature in database
GPG Key ID: F32894BE9684938A
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
debugging/vm-interface.md
View File

@ -98,19 +98,22 @@ Possible options for a single rule:
echo request, valid only together with `proto=icmp` echo request, valid only together with `proto=icmp`
- `dpi`, value: Deep Packet Inspection protocol (like: HTTP, SSL, SMB, SSH, SMTP) or the default 'NO' as no DPI, only packet filtering - `dpi`, value: Deep Packet Inspection protocol (like: HTTP, SSL, SMB, SSH, SMTP) or the default 'NO' as no DPI, only packet filtering
Options must appear in the rule in the order listed above. Duplicated options
are forbidden.
Rule matches only when all predicates matches. Only one of `dst4`, `dst6`, Rule matches only when all predicates matches. Only one of `dst4`, `dst6`,
`dstname`, `specialtarget` can be used in a single rule. `dstname`, `specialtarget` can be used in a single rule.
If tool applying firewall encounters any parse error (unknown option, invalid If tool applying firewall encounters any parse error (unknown option, invalid
value etc), it should drop all the traffic coming from that `SOURCE_IP`, value, duplicated option, etc), it should drop all the traffic coming from that `SOURCE_IP`,
regardless of properly parsed rules. regardless of properly parsed rules.
Example valid rules: Example valid rules:
- `action=accept dst4=8.8.8.8 proto=udp dstports=53-53` - `action=accept dst4=8.8.8.8 proto=udp dstports=53-53`
- `action=drop dst6=2a00:1450:4000::/37 proto=tcp` - `action=drop dst6=2a00:1450:4000::/37 proto=tcp`
- `specialtarget=dns action=accept` - `action=accept specialtarget=dns`
- `specialtarget=dns action=drop proto=tcp` - drop DNS queries sent using TCP - `action=drop proto=tcp specialtarget=dns` - drop DNS queries sent using TCP
- `action=drop` - `action=drop`
### Keys set by VM for passing info to dom0 ### ### Keys set by VM for passing info to dom0 ###