qubes-mirage-firewall/rules.ml

(* Copyright (C) 2015, Thomas Leonard <thomas.leonard@unikernel.com>
   See the README file for details. *)

(** Put your firewall rules in this file. *)

open Packet   (* Allow us to use definitions in packet.ml *)

(* List your AppVM IP addresses here if you want to match on them in the rules below.
   Any client not listed here will appear as [`Client `Unknown]. *)
let clients = [
  (*
  "10.137.0.12", `Dev;
  "10.137.0.14", `Untrusted;
  *)
]

(* List your external (non-AppVM) IP addresses here if you want to match on them in the rules below.
   Any external machine not listed here will appear as [`External `Unknown]. *)
let externals = [
  (*
  "8.8.8.8", `GoogleDNS;
  *)
]

(* OCaml normally warns if you don't match all fields, but that's OK here. *)
[@@@ocaml.warning "-9"]

(** This function decides what to do with a packet from a client VM.

    It takes as input an argument [info] (of type [Packet.info]) describing the
    packet, and returns an action (of type [Packet.action]) to perform.

    See packet.ml for the definitions of [info] and [action].

    Note: If the packet matched an existing NAT rule then this isn't called. *)
let from_client (info : ([`Client of _], _) Packet.info) : Packet.action =
  match info with
  (* Examples (add your own rules here):

     1. Allows Dev to send SSH packets to Untrusted.
        Note: responses are not covered by this!
     2. Allows Untrusted to reply to Dev.
     3. Blocks an external site.

     In all cases, make sure you've added the VM name to [clients] or [externals] above, or it won't
     match anything! *)
  (*
  | { src = `Client `Dev; dst = `Client `Untrusted; proto = `TCP { dport = 22 } } -> `Accept
  | { src = `Client `Untrusted; dst = `Client `Dev; proto = `TCP _; packet }
                                        when not (is_tcp_start packet) -> `Accept
  | { dst = `External `GoogleDNS } -> `Drop "block Google DNS"
  *)
  | { dst = (`External _ | `NetVM) } -> `NAT
  | { dst = `Firewall; proto = `UDP { dport = 53 } } -> `NAT_to (`NetVM, 53)
  | { dst = `Firewall } -> `Drop "packet addressed to firewall itself"
  | { dst = `Client _ } -> `Drop "prevent communication between client VMs by default"

(** Decide what to do with a packet received from the outside world.
    Note: If the packet matched an existing NAT rule then this isn't called. *)
let from_netvm (info : ([`NetVM | `External of _], _) Packet.info) : Packet.action =
  match info with
  | _ -> `Drop "drop by default"
Move NAT code to router and add DNS redirects 2015-12-30 11:07:16 -05:00			`(* Copyright (C) 2015, Thomas Leonard <thomas.leonard@unikernel.com>`
			`See the README file for details. *)`

Give exact types for Packet.src Before, the packet passed to rules.ml could have any host as its src. Now, `from_client` knows that `src` must be a `Client`, and `from_netvm` knows that `src` is `External` or `NetVM`. 2019-04-17 06:03:17 -04:00			`(** Put your firewall rules in this file. *)`
Move NAT code to router and add DNS redirects 2015-12-30 11:07:16 -05:00
Give exact types for Packet.src Before, the packet passed to rules.ml could have any host as its src. Now, `from_client` knows that `src` must be a `Client`, and `from_netvm` knows that `src` is `External` or `NetVM`. 2019-04-17 06:03:17 -04:00			`open Packet (* Allow us to use definitions in packet.ml *)`
Move NAT code to router and add DNS redirects 2015-12-30 11:07:16 -05:00
Allow naming hosts and add examples to rules.ml Previously we passed in the interface, from which it was possible (but a little difficult) to extract the IP address and compare with some predefined ones. Now, we allow the user to list IP addresses and named tags for them, which can be matched on easily. Added example rules showing how to block access to an external service or allow SSH between AppVMs. Requested at https://groups.google.com/d/msg/qubes-users/BnL0nZGpJOE/61HOBg1rCgAJ. 2019-04-11 07:25:19 -04:00			`(* List your AppVM IP addresses here if you want to match on them in the rules below.`
			Any client not listed here will appear as [`Client `Unknown]. *)
			`let clients = [`
			`(*`
			"10.137.0.12", `Dev;
			"10.137.0.14", `Untrusted;
			`*)`
			`]`

			`(* List your external (non-AppVM) IP addresses here if you want to match on them in the rules below.`
			Any external machine not listed here will appear as [`External `Unknown]. *)
			`let externals = [`
			`(*`
			"8.8.8.8", `GoogleDNS;
			`*)`
			`]`

Give exact types for Packet.src Before, the packet passed to rules.ml could have any host as its src. Now, `from_client` knows that `src` must be a `Client`, and `from_netvm` knows that `src` is `External` or `NetVM`. 2019-04-17 06:03:17 -04:00			`(* OCaml normally warns if you don't match all fields, but that's OK here. *)`
			`[@@@ocaml.warning "-9"]`

			`(** This function decides what to do with a packet from a client VM.`

			`It takes as input an argument [info] (of type [Packet.info]) describing the`
			`packet, and returns an action (of type [Packet.action]) to perform.`

			`See packet.ml for the definitions of [info] and [action].`

Move NAT code to router and add DNS redirects 2015-12-30 11:07:16 -05:00			`Note: If the packet matched an existing NAT rule then this isn't called. *)`
Give exact types for Packet.src Before, the packet passed to rules.ml could have any host as its src. Now, `from_client` knows that `src` must be a `Client`, and `from_netvm` knows that `src` is `External` or `NetVM`. 2019-04-17 06:03:17 -04:00			let from_client (info : ([`Client of _], _) Packet.info) : Packet.action =
Add some types to the rules Before, we inferred the types from rules.ml and then the compiler checked that it was consistent with what firewall.ml expected. If it wasn't it reported the problem as being with firewall.ml, which could be confusing to users. 2019-04-17 05:26:32 -04:00			`match info with`
Give exact types for Packet.src Before, the packet passed to rules.ml could have any host as its src. Now, `from_client` knows that `src` must be a `Client`, and `from_netvm` knows that `src` is `External` or `NetVM`. 2019-04-17 06:03:17 -04:00			`(* Examples (add your own rules here):`

			`1. Allows Dev to send SSH packets to Untrusted.`
			`Note: responses are not covered by this!`
Make example rule more restrictive In the (commented-out) example rules, instead of allowing any client to continue a TCP flow with any other client, just allow Untrusted to reply to Dev. This is all that is needed to make the SSH example work. 2019-05-03 06:12:58 -04:00			`2. Allows Untrusted to reply to Dev.`
Give exact types for Packet.src Before, the packet passed to rules.ml could have any host as its src. Now, `from_client` knows that `src` must be a `Client`, and `from_netvm` knows that `src` is `External` or `NetVM`. 2019-04-17 06:03:17 -04:00			`3. Blocks an external site.`

			`In all cases, make sure you've added the VM name to [clients] or [externals] above, or it won't`
			`match anything! *)`
Allow naming hosts and add examples to rules.ml Previously we passed in the interface, from which it was possible (but a little difficult) to extract the IP address and compare with some predefined ones. Now, we allow the user to list IP addresses and named tags for them, which can be matched on easily. Added example rules showing how to block access to an external service or allow SSH between AppVMs. Requested at https://groups.google.com/d/msg/qubes-users/BnL0nZGpJOE/61HOBg1rCgAJ. 2019-04-11 07:25:19 -04:00			`(*`
			\| { src = `Client `Dev; dst = `Client `Untrusted; proto = `TCP { dport = 22 } } -> `Accept
Make example rule more restrictive In the (commented-out) example rules, instead of allowing any client to continue a TCP flow with any other client, just allow Untrusted to reply to Dev. This is all that is needed to make the SSH example work. 2019-05-03 06:12:58 -04:00			\| { src = `Client `Untrusted; dst = `Client `Dev; proto = `TCP _; packet }
Allow naming hosts and add examples to rules.ml Previously we passed in the interface, from which it was possible (but a little difficult) to extract the IP address and compare with some predefined ones. Now, we allow the user to list IP addresses and named tags for them, which can be matched on easily. Added example rules showing how to block access to an external service or allow SSH between AppVMs. Requested at https://groups.google.com/d/msg/qubes-users/BnL0nZGpJOE/61HOBg1rCgAJ. 2019-04-11 07:25:19 -04:00			when not (is_tcp_start packet) -> `Accept
			\| { dst = `External `GoogleDNS } -> `Drop "block Google DNS"
			`*)`
Rationalised firewall rules syntax Added explicit NAT target, allowing NAT even within client net and making it clear that NAT is used externally. Changed Redirect_to_netvm to NAT_to, and allow specifying any target host. 2016-01-01 06:32:57 -05:00			\| { dst = (`External _ \| `NetVM) } -> `NAT
Combine Client_gateway and Firewall_uplink Before, we used Client_gateway for the IP address of the firewall on the client network and Firewall_uplink for its address on the uplink network. However, Qubes 4 uses the same IP address for both, so we can't separate these any longer, and there doesn't seem to be any advantage to keeping them separate anyway. 2019-05-16 14:18:31 -04:00			\| { dst = `Firewall; proto = `UDP { dport = 53 } } -> `NAT_to (`NetVM, 53)
			\| { dst = `Firewall } -> `Drop "packet addressed to firewall itself"
Allow naming hosts and add examples to rules.ml Previously we passed in the interface, from which it was possible (but a little difficult) to extract the IP address and compare with some predefined ones. Now, we allow the user to list IP addresses and named tags for them, which can be matched on easily. Added example rules showing how to block access to an external service or allow SSH between AppVMs. Requested at https://groups.google.com/d/msg/qubes-users/BnL0nZGpJOE/61HOBg1rCgAJ. 2019-04-11 07:25:19 -04:00			\| { dst = `Client _ } -> `Drop "prevent communication between client VMs by default"
Move NAT code to router and add DNS redirects 2015-12-30 11:07:16 -05:00
			`(** Decide what to do with a packet received from the outside world.`
			`Note: If the packet matched an existing NAT rule then this isn't called. *)`
Give exact types for Packet.src Before, the packet passed to rules.ml could have any host as its src. Now, `from_client` knows that `src` must be a `Client`, and `from_netvm` knows that `src` is `External` or `NetVM`. 2019-04-17 06:03:17 -04:00			let from_netvm (info : ([`NetVM \| `External of _], _) Packet.info) : Packet.action =
Add some types to the rules Before, we inferred the types from rules.ml and then the compiler checked that it was consistent with what firewall.ml expected. If it wasn't it reported the problem as being with firewall.ml, which could be confusing to users. 2019-04-17 05:26:32 -04:00			`match info with`
Move NAT code to router and add DNS redirects 2015-12-30 11:07:16 -05:00			\| _ -> `Drop "drop by default"