qubes-mirage-firewall/rules.ml

(* Copyright (C) 2015, Thomas Leonard <thomas.leonard@unikernel.com>
   See the README file for details. *)

(** Put your firewall rules here. *)

open Packet

(* OCaml normally warns if you don't match all fields, but that's OK here. *)
[@@@ocaml.warning "-9"]

(* List your AppVM IP addresses here if you want to match on them in the rules below.
   Any client not listed here will appear as [`Client `Unknown]. *)
let clients = [
  (*
  "10.137.0.12", `Dev;
  "10.137.0.14", `Untrusted;
  *)
]

(* List your external (non-AppVM) IP addresses here if you want to match on them in the rules below.
   Any external machine not listed here will appear as [`External `Unknown]. *)
let externals = [
  (*
  "8.8.8.8", `GoogleDNS;
  *)
]

(** Decide what to do with a packet from a client VM.
    Note: If the packet matched an existing NAT rule then this isn't called. *)
let from_client (info : _ info) : action =
  match info with
  (* Examples (add your own rules here): *)
  (*
  | { src = `Client `Dev; dst = `Client `Untrusted; proto = `TCP { dport = 22 } } -> `Accept
  | { src = `Client _; dst = `Client _; proto = `TCP _; packet }
                                        when not (is_tcp_start packet) -> `Accept
  | { dst = `External `GoogleDNS } -> `Drop "block Google DNS"
  *)
  | { dst = (`External _ | `NetVM) } -> `NAT
  | { dst = `Client_gateway; proto = `UDP { dport = 53 } } -> `NAT_to (`NetVM, 53)
  | { dst = (`Client_gateway | `Firewall_uplink) } -> `Drop "packet addressed to firewall itself"
  | { dst = `Client _ } -> `Drop "prevent communication between client VMs by default"

(** Decide what to do with a packet received from the outside world.
    Note: If the packet matched an existing NAT rule then this isn't called. *)
let from_netvm (info : _ info) : action =
  match info with
  | _ -> `Drop "drop by default"
Move NAT code to router and add DNS redirects 2015-12-30 16:07:16 +00:00			`(* Copyright (C) 2015, Thomas Leonard <thomas.leonard@unikernel.com>`
			`See the README file for details. *)`

			`(** Put your firewall rules here. *)`

			`open Packet`

			`(* OCaml normally warns if you don't match all fields, but that's OK here. *)`
			`[@@@ocaml.warning "-9"]`

Allow naming hosts and add examples to rules.ml Previously we passed in the interface, from which it was possible (but a little difficult) to extract the IP address and compare with some predefined ones. Now, we allow the user to list IP addresses and named tags for them, which can be matched on easily. Added example rules showing how to block access to an external service or allow SSH between AppVMs. Requested at https://groups.google.com/d/msg/qubes-users/BnL0nZGpJOE/61HOBg1rCgAJ. 2019-04-11 11:25:19 +00:00			`(* List your AppVM IP addresses here if you want to match on them in the rules below.`
			Any client not listed here will appear as [`Client `Unknown]. *)
			`let clients = [`
			`(*`
			"10.137.0.12", `Dev;
			"10.137.0.14", `Untrusted;
			`*)`
			`]`

			`(* List your external (non-AppVM) IP addresses here if you want to match on them in the rules below.`
			Any external machine not listed here will appear as [`External `Unknown]. *)
			`let externals = [`
			`(*`
			"8.8.8.8", `GoogleDNS;
			`*)`
			`]`

Move NAT code to router and add DNS redirects 2015-12-30 16:07:16 +00:00			`(** Decide what to do with a packet from a client VM.`
			`Note: If the packet matched an existing NAT rule then this isn't called. *)`
Add some types to the rules Before, we inferred the types from rules.ml and then the compiler checked that it was consistent with what firewall.ml expected. If it wasn't it reported the problem as being with firewall.ml, which could be confusing to users. 2019-04-17 09:26:32 +00:00			`let from_client (info : _ info) : action =`
			`match info with`
Allow naming hosts and add examples to rules.ml Previously we passed in the interface, from which it was possible (but a little difficult) to extract the IP address and compare with some predefined ones. Now, we allow the user to list IP addresses and named tags for them, which can be matched on easily. Added example rules showing how to block access to an external service or allow SSH between AppVMs. Requested at https://groups.google.com/d/msg/qubes-users/BnL0nZGpJOE/61HOBg1rCgAJ. 2019-04-11 11:25:19 +00:00			`(* Examples (add your own rules here): *)`
			`(*`
			\| { src = `Client `Dev; dst = `Client `Untrusted; proto = `TCP { dport = 22 } } -> `Accept
			\| { src = `Client _; dst = `Client _; proto = `TCP _; packet }
			when not (is_tcp_start packet) -> `Accept
			\| { dst = `External `GoogleDNS } -> `Drop "block Google DNS"
			`*)`
Rationalised firewall rules syntax Added explicit NAT target, allowing NAT even within client net and making it clear that NAT is used externally. Changed Redirect_to_netvm to NAT_to, and allow specifying any target host. 2016-01-01 11:32:57 +00:00			\| { dst = (`External _ \| `NetVM) } -> `NAT
			\| { dst = `Client_gateway; proto = `UDP { dport = 53 } } -> `NAT_to (`NetVM, 53)
Move NAT code to router and add DNS redirects 2015-12-30 16:07:16 +00:00			\| { dst = (`Client_gateway \| `Firewall_uplink) } -> `Drop "packet addressed to firewall itself"
Allow naming hosts and add examples to rules.ml Previously we passed in the interface, from which it was possible (but a little difficult) to extract the IP address and compare with some predefined ones. Now, we allow the user to list IP addresses and named tags for them, which can be matched on easily. Added example rules showing how to block access to an external service or allow SSH between AppVMs. Requested at https://groups.google.com/d/msg/qubes-users/BnL0nZGpJOE/61HOBg1rCgAJ. 2019-04-11 11:25:19 +00:00			\| { dst = `Client _ } -> `Drop "prevent communication between client VMs by default"
Move NAT code to router and add DNS redirects 2015-12-30 16:07:16 +00:00
			`(** Decide what to do with a packet received from the outside world.`
			`Note: If the packet matched an existing NAT rule then this isn't called. *)`
Add some types to the rules Before, we inferred the types from rules.ml and then the compiler checked that it was consistent with what firewall.ml expected. If it wasn't it reported the problem as being with firewall.ml, which could be confusing to users. 2019-04-17 09:26:32 +00:00			`let from_netvm (info : _ info) : action =`
			`match info with`
Move NAT code to router and add DNS redirects 2015-12-30 16:07:16 +00:00			\| _ -> `Drop "drop by default"