Commit Graph

11 Commits

Author SHA1 Message Date
linse
2d78d47591 Support firewall rules with hostnames.
Co-Authored-By: Mindy Preston <yomimono@users.noreply.github.com>
Co-Authored-By: Olle Jonsson <olle.jonsson@gmail.com>
Co-Authored-By: hannes <hannes@mehnert.org>
Co-Authored-By: cfcs <cfcs@users.noreply.github.com>
2020-05-15 16:25:46 +02:00
linse
87df5bdcc0 Read firewall rules from QubesDB. The module Rules contains a rule matcher instead of hardcoded rules now.
Co-Authored-By: Mindy Preston <yomimono@users.noreply.github.com>
2020-05-15 16:25:46 +02:00
Thomas Leonard
672c82c43c Combine Client_gateway and Firewall_uplink
Before, we used Client_gateway for the IP address of the firewall on the
client network and Firewall_uplink for its address on the uplink
network. However, Qubes 4 uses the same IP address for both, so we can't
separate these any longer, and there doesn't seem to be any advantage to
keeping them separate anyway.
2019-05-16 19:30:51 +01:00
Thomas Leonard
e15fc8c219 Make example rule more restrictive
In the (commented-out) example rules, instead of allowing any client to
continue a TCP flow with any other client, just allow Untrusted to reply
to Dev. This is all that is needed to make the SSH example work.
2019-05-06 10:35:51 +01:00
Thomas Leonard
b60d098e96 Give exact types for Packet.src
Before, the packet passed to rules.ml could have any host as its src.
Now, `from_client` knows that `src` must be a `Client`, and `from_netvm`
knows that `src` is `External` or `NetVM`.
2019-05-06 10:35:51 +01:00
Thomas Leonard
189a736368 Add some types to the rules
Before, we inferred the types from rules.ml and then the compiler
checked that it was consistent with what firewall.ml expected. If it
wasn't it reported the problem as being with firewall.ml, which could be
confusing to users.
2019-05-06 10:35:51 +01:00
Thomas Leonard
acf46b4231 Allow naming hosts and add examples to rules.ml
Previously we passed in the interface, from which it was possible (but
a little difficult) to extract the IP address and compare with some
predefined ones. Now, we allow the user to list IP addresses and named
tags for them, which can be matched on easily.

Added example rules showing how to block access to an external service
or allow SSH between AppVMs.

Requested at
https://groups.google.com/d/msg/qubes-users/BnL0nZGpJOE/61HOBg1rCgAJ.
2019-05-06 10:35:51 +01:00
Thomas Leonard
a7001a70d2 Allow clients to have any IP address
We previously assumed that Qubes would always give clients IP addresses
on a particular network. However, it is not required to do this and in
fact uses a different network for disposable VMs.

With this change:

- We no longer reject clients with unknown IP addresses
- The `Unknown_client` classification is gone; we have no way to tell
  the difference between a client that isn't connected and an external
  address.
- We now consider every client to be on a point-to-point link and do not
  answer ARP requests on behalf of other clients. Clients should assume
  their netmask is 255.255.255.255 (and ignore /qubes-netmask).

This is a partial fix for #9. It allows disposable VMs to connect to the
firewall but for some reason they don't process any frames we send them
(we get their ARP requests but they don't get our replies). Taking eth0
down in the disp VM, then bringing it back up (and re-adding the routes)
allows it to work.
2016-09-25 16:34:22 +01:00
Thomas Leonard
2002126b8b Rationalised firewall rules syntax
Added explicit NAT target, allowing NAT even within client net and
making it clear that NAT is used externally.

Changed Redirect_to_netvm to NAT_to, and allow specifying any target
host.
2016-01-01 11:32:57 +00:00
Thomas Leonard
ac0444f1c1 Log packet details when dropping 2015-12-31 09:56:58 +00:00
Thomas Leonard
cd69ce5a86 Move NAT code to router and add DNS redirects 2015-12-30 19:34:04 +00:00