Commit Graph

283 Commits

Author SHA1 Message Date
Thomas Leonard
691c4ae745 Update build hash 2019-05-06 10:37:24 +01:00
Thomas Leonard
e15fc8c219 Make example rule more restrictive
In the (commented-out) example rules, instead of allowing any client to
continue a TCP flow with any other client, just allow Untrusted to reply
to Dev. This is all that is needed to make the SSH example work.
2019-05-06 10:35:51 +01:00
Thomas Leonard
eec1e985e5 Add overview of the main components of the firewall 2019-05-06 10:35:51 +01:00
Thomas Leonard
b60d098e96 Give exact types for Packet.src
Before, the packet passed to rules.ml could have any host as its src.
Now, `from_client` knows that `src` must be a `Client`, and `from_netvm`
knows that `src` is `External` or `NetVM`.
2019-05-06 10:35:51 +01:00
Thomas Leonard
189a736368 Add some types to the rules
Before, we inferred the types from rules.ml and then the compiler
checked that it was consistent with what firewall.ml expected. If it
wasn't it reported the problem as being with firewall.ml, which could be
confusing to users.
2019-05-06 10:35:51 +01:00
Thomas Leonard
acf46b4231 Allow naming hosts and add examples to rules.ml
Previously we passed in the interface, from which it was possible (but
a little difficult) to extract the IP address and compare with some
predefined ones. Now, we allow the user to list IP addresses and named
tags for them, which can be matched on easily.

Added example rules showing how to block access to an external service
or allow SSH between AppVMs.

Requested at
https://groups.google.com/d/msg/qubes-users/BnL0nZGpJOE/61HOBg1rCgAJ.
2019-05-06 10:35:51 +01:00
Thomas Leonard
433f3e8f01
Merge pull request #61 from talex5/fix-mac
Force backend MAC to fe:ff:ff:ff:ff:ff to fix HVM clients
2019-05-06 10:32:50 +01:00
Thomas Leonard
d7b376d373 Respond to ARP requests for *.*.*.1
This is a work-around to get DHCP working with HVM domains.
See: https://github.com/QubesOS/qubes-issues/issues/5022
2019-05-06 09:57:47 +01:00
Thomas Leonard
8b4cc6f5a9 Improve logging 2019-05-06 09:56:02 +01:00
Thomas Leonard
0a4dd7413c Force backend MAC to fe:ff:ff:ff:ff:ff to fix HVM clients
Xen appears to configure the same MAC address for both the frontend
and backend in XenStore. e.g.

    [tal@dom0 ~]$ xenstore-ls /local/domain/3/backend/vif/19/0
    frontend = "/local/domain/19/device/vif/0"
    mac = "00:16:3e:5e:6c:00"
    [...]

    [tal@dom0 ~]$ xenstore-ls /local/domain/19/device/vif/0
    mac = "00:16:3e:5e:6c:00"

This works if the client uses just a simple ethernet device, but fails
if it connects via a bridge. HVM domains have an associated stub domain
running qemu, which provides an emulated network device. The stub domain
uses a bridge to connect qemu's interface with eth0, and this didn't
work.

Force the use of the fixed version of mirage-net-xen, which no longer
uses XenStore to get the backend MAC, and provides a new function to get
the frontend one.
2019-05-06 09:52:46 +01:00
yomimono
65b79208a1
Merge pull request #60 from talex5/await-net-config
Wait if dom0 is slow to set the network configuration
2019-04-30 16:18:08 -05:00
yomimono
321a93aa5d
Merge pull request #58 from talex5/advisories
Link to security advisories from README
2019-04-30 16:13:40 -05:00
Thomas Leonard
9d2723a08a Require mirage-nat >= 1.2.0 for ICMP support 2019-04-28 16:10:02 +01:00
Thomas Leonard
c7fc54af02 Wait if dom0 is slow to set the network configuration
Sometimes we boot before dom0 has put the network settings in QubesDB.
If that happens, log a message, wait until the database changes, and
retry.
2019-04-28 16:08:27 +01:00
Thomas Leonard
eb14f7e777 Link to security advisories from README
Also, link from binary installation to deployment section.
2019-04-26 12:39:34 +01:00
Thomas Leonard
5e1588f861
Merge pull request #55 from talex5/fix-icmp
Upgrade to latest mirage-nat to fix ICMP
2019-04-17 11:45:40 +01:00
Thomas Leonard
45eef49c95 Upgrade to latest mirage-nat to fix ICMP
Now ping and traceroute should work.
2019-04-16 18:21:07 +01:00
yomimono
debd34cc3a
Merge pull request #52 from talex5/repro-builds
Add patch to cmdliner for reproducible build
2019-04-13 12:15:57 -05:00
yomimono
7000d9a010
Merge pull request #51 from talex5/update-docs
Clarify how to build from source
2019-04-13 12:14:14 -05:00
Thomas Leonard
5958cfed97 Clarify how to build from source 2019-04-08 10:43:30 +01:00
Thomas Leonard
06511e076f Add patch to cmdliner for reproducible build
See https://github.com/dbuenzli/cmdliner/pull/106
2019-04-08 10:35:42 +01:00
yomimono
14461c3960
Merge pull request #49 from talex5/repro-archive
Use source date in .tar.bz2 archive
2019-04-07 18:37:46 -05:00
Thomas Leonard
74479c792e Use source date in .tar.bz2 archive
All files are now added using the date the build-with-docker script was
last changed. Since this includes the hash of the result, it should be
up-to-date. This ensures that rebuilding the archive doesn't change it
in any way.

Reported-by: Holger Levsen
2019-04-05 09:42:12 +01:00
Mindy Preston
88b55acaed
Merge pull request #48 from talex5/update-readme
Remove Qubes 3 instructions from README
2019-04-04 12:05:06 -05:00
Thomas Leonard
bd7babeda0 Remove Qubes 3 instructions from README
See https://www.qubes-os.org/news/2019/03/28/qubes-3-2-has-reached-eol/
2019-04-04 11:05:49 +01:00
Thomas Leonard
3fc9790203
Merge pull request #47 from talex5/update-deps
Update dependencies
2019-04-03 19:53:54 +01:00
Thomas Leonard
cb7078633e Update dependencies
Remove pin on mirage 3.4 - it should now be working with the latest
release.
2019-04-03 12:32:13 +01:00
Mindy Preston
7f10c24232
Merge pull request #46 from hannesm/no-14
use Ethernet_wire.sizeof_ethernet instead of a magic '14'
2019-03-25 10:43:13 -05:00
Thomas Leonard
aa405530b4
Merge pull request #45 from yomimono/just-into-cstruct
use tcpip 3.7, ethernet, arp, mirage-nat 1.1.0
2019-03-24 13:33:05 +00:00
Hannes Mehnert
3553a7aa93 use Ethernet_wire.sizeof_ethernet instead of a magic '14' 2019-03-24 14:29:21 +01:00
Thomas Leonard
7f99973a02 Update Docker build for Mirage 3.5 2019-03-24 13:21:39 +00:00
Thomas Leonard
f1a946af4e
Merge pull request #44 from xaki23/master
update ocaml version (4.05 to 4.07), pin-down mirage version (3.5 to 3.4)
2019-03-23 17:00:18 +00:00
Mindy
0852aa0f43 use tcpip 3.7, ethernet, arp, mirage-nat 1.1.0 2019-03-22 14:27:40 -05:00
Mindy
d7cd4e2961 typo fix 2019-03-17 20:16:35 -05:00
xaki23
04bea6e9ba
update ocaml version (from 4.05 to 4.07), pin-down mirage version (to 3.4, 3.5 is current) 2019-03-06 23:43:49 +01:00
Thomas Leonard
455149249f
Merge pull request #43 from mirage/update-readme
Update links from talex5 to mirage
2019-03-01 09:06:31 +00:00
Thomas Leonard
ab88d413c4
Update links from talex5 to mirage 2019-02-26 16:57:40 +00:00
Thomas Leonard
2edb088650 Update to latest Debian and opam
Reported by Honzoo.
2019-02-01 09:36:08 +00:00
Thomas Leonard
4526375a19 Note that Git versions might have different hashes 2019-01-19 10:32:27 +00:00
Ahmed Al-Sudani
ef09eb50ac Update last known build hash 2019-01-16 14:17:09 -05:00
Thomas Leonard
791342d508
Merge pull request #38 from talex5/fix-restart-delay
Don't wait for GUI before attaching client VMs
2019-01-10 13:11:44 +00:00
Thomas Leonard
d849a09a25 Don't wait for GUI before attaching client VMs
If the firewall is restarted while AppVMs are connected, qubesd tries to
reconnect them before starting the GUI agent. However, the firewall was
waiting for the GUI agent to connect before handling the connections.

This led to a 10s delay on restart for each client VM.

Reported by xaki23.
2019-01-10 12:55:48 +00:00
Thomas Leonard
b123abb1d3
Merge pull request #37 from xaki23/master
add stub makefile for qubes-builder
2018-12-01 13:35:15 +00:00
xaki23
184d320a8f
add stub makefile for qubes-builder 2018-11-30 00:08:26 +01:00
Thomas Leonard
8ed4289b2a
Merge pull request #36 from talex5/fix-docker-build
Update build instructions for latest Fedora
2018-11-04 14:59:48 +00:00
Thomas Leonard
0d0159b56f Update build instructions for latest Fedora
`yum` no longer exists. Also, show how to create a symlink for
/var/lib/docker on build VMs that aren't standalone.

Reported by xaki23.
2018-11-04 14:36:19 +00:00
Thomas Leonard
d6b4dc6a52
Merge pull request #33 from talex5/fix-docker-build
Update Debian base image in Docker build
2018-11-03 18:22:01 +00:00
Thomas Leonard
78e219da8c Update Debian base image in Docker build
Had stopped working:

    Err http://security.debian.org/ jessie/updates/main libxenstore3.0 amd64 4.4.1-9+deb8u10
      404  Not Found [IP: 128.61.240.73 80]

Updated from Debian 8 to Debian 9, and from opam to opam2.
2018-11-03 17:27:48 +00:00
Thomas Leonard
2fd9e6a136
Merge pull request #27 from talex5/qubes-4-readme
Add installation instructions for Qubes 4
2018-01-06 12:35:36 +00:00
Thomas Leonard
b77d91cb20 Add installation instructions for Qubes 4 2018-01-06 12:24:50 +00:00