fix: remove broken Signal firewall rules

As NFTables converts domain names to IPs on the first query, it is not possible to depend on it to have a stable connection. Implementing a DNS proxy configuration might still be difficult due to the use of CDNs.
2024-10-01 02:35:49 -04:00 · 2024-07-18 16:18:36 +02:00 · 2024-07-18 16:18:36 +02:00 · 3b6901b5d2
commit 3b6901b5d2
parent e00ef4277c
5 changed files with 1 additions and 53 deletions
--- a/salt/signal/README.md
+++ b/salt/signal/README.md
@ -40,17 +40,4 @@ sudo qubesctl state.apply signal.appmenus

 You may use different Signal accounts for different identities, such as
 personal, work or pseudonym. Maintain the `signal` qube pristine and clone it
-to the assigned domain, `personal-signal`, `work-signal`, `anon-signal`. If
-you don't maintain the qube pristine, you will have to apply the firewall
-rules manually.
-
-Signal might loose connectivity due to [upstream rotating IP
-addresses](https://support.signal.org/hc/en-us/articles/360007320291) with the
-use of [CDNs to evade
-blocking](https://signal.org/blog/looking-back-on-the-front/).
-You will have to reapply the firewall rules eventually.
-
-TODO: Is it worth using the firewall? If you allow all [cloudfront.net
-IPs](https://ip-ranges.amazonaws.com/ip-ranges.json) for region "GLOBAL", what
-is blocking an attacker from using that to host his malicious callback server?
-Recently (2023-11-11) signal stopped working with the current firewall.
+to the assigned domain, `personal-signal`, `work-signal`, `anon-signal`.
--- a/salt/signal/create.sls
+++ b/salt/signal/create.sls
@ -8,7 +8,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later

 include:
  - .clone
-  - .firewall

 {% load_yaml as defaults -%}
 name: tpl-{{ slsdotpath }}
@ -52,6 +51,3 @@ features:
  - menu-items: "signal-desktop.desktop qubes-open-file-manager.desktop qubes-run-terminal.desktop qubes-start.desktop"
 {%- endload %}
 {{ load(defaults) }}
-
-{% from 'utils/macros/sync-appmenus.sls' import sync_appmenus with context -%}
-{{ sync_appmenus('tpl-' ~ sls_path) }}
--- a/salt/signal/firewall.sls
+++ b/salt/signal/firewall.sls
@ -1,24 +0,0 @@
-{#
-SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-
-SPDX-License-Identifier: AGPL-3.0-or-later
-#}
-
-"{{ slsdotpath }}-firewall":
-  cmd.run:
-    - require:
-      - qvm: {{ slsdotpath }}
-    - name: |
-        qvm-check -q --running -- {{ slsdotpath }} && qvm-pause -- {{ slsdotpath }}
-        qvm-firewall -- {{ slsdotpath }} reset
-        qvm-firewall -- {{ slsdotpath }} del --rule-no 0
-        qvm-check -q --running -- {{ slsdotpath }} && qvm-unpause -- {{ slsdotpath }}
-        qvm-firewall -- {{ slsdotpath }} add accept signal.org
-        qvm-firewall -- {{ slsdotpath }} add accept storage.signal.org
-        qvm-firewall -- {{ slsdotpath }} add accept chat.signal.org
-        qvm-firewall -- {{ slsdotpath }} add accept cdn.signal.org
-        qvm-firewall -- {{ slsdotpath }} add accept cdn2.signal.org
-        qvm-firewall -- {{ slsdotpath }} add accept sfu.voip.signal.org
-        qvm-firewall -- {{ slsdotpath }} add accept turn.voip.signal.org
-        qvm-firewall -- {{ slsdotpath }} add accept turn2.voip.signal.org
-        qvm-firewall -- {{ slsdotpath }} add accept turn3.voip.signal.org
--- a/salt/signal/firewall.top
+++ b/salt/signal/firewall.top
@ -1,10 +0,0 @@
-{#
-SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-
-SPDX-License-Identifier: AGPL-3.0-or-later
-#}
-
-base:
-  'dom0':
-    - match: nodegroup
-    - signal.firewall
--- a/salt/signal/init.top
+++ b/salt/signal/init.top
@ -8,7 +8,6 @@ base:
  'dom0':
    - match: nodegroup
    - signal.create
-    - signal.firewall
  'tpl-signal':
    - signal.install
  'signal':