Git-Mirrors/qubes-mirage-firewall
1
0
Fork 0
mirror of https://github.com/mirage/qubes-mirage-firewall.git synced 2024-10-01 01:05:39 -04:00
Code Issues Packages Projects Releases Wiki Activity

Make example rule more restrictive

Browse Source 
In the (commented-out) example rules, instead of allowing any client to
continue a TCP flow with any other client, just allow Untrusted to reply
to Dev. This is all that is needed to make the SSH example work.
This commit is contained in:
Thomas Leonard 2019-05-03 11:12:58 +01:00
parent eec1e985e5
commit e15fc8c219
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules.ml
View File

@ -39,15 +39,14 @@ let from_client (info : ([`Client of _], _) Packet.info) : Packet.action =
1. Allows Dev to send SSH packets to Untrusted. 1. Allows Dev to send SSH packets to Untrusted.
Note: responses are not covered by this! Note: responses are not covered by this!
2. Allows clients to continue existing TCP connections with other clients. 2. Allows Untrusted to reply to Dev.
This allows responses to SSH packets from the previous rule.
3. Blocks an external site. 3. Blocks an external site.
In all cases, make sure you've added the VM name to [clients] or [externals] above, or it won't In all cases, make sure you've added the VM name to [clients] or [externals] above, or it won't
match anything! *) match anything! *)
(* (*
| { src = `Client `Dev; dst = `Client `Untrusted; proto = `TCP { dport = 22 } } -> `Accept | { src = `Client `Dev; dst = `Client `Untrusted; proto = `TCP { dport = 22 } } -> `Accept
| { src = `Client _; dst = `Client _; proto = `TCP _; packet } | { src = `Client `Untrusted; dst = `Client `Dev; proto = `TCP _; packet }
when not (is_tcp_start packet) -> `Accept when not (is_tcp_start packet) -> `Accept
| { dst = `External `GoogleDNS } -> `Drop "block Google DNS" | { dst = `External `GoogleDNS } -> `Drop "block Google DNS"
*) *)