fix: remove broken Signal firewall rules

As NFTables converts domain names to IPs on the first query, it is not possible to depend on it to have a stable connection. Implementing a DNS proxy configuration might still be difficult due to the use of CDNs.
2024-10-01 02:35:49 -04:00 · 2024-07-18 16:18:36 +02:00 · 2024-07-18 16:18:36 +02:00 · 3b6901b5d2
commit 3b6901b5d2
parent e00ef4277c
5 changed files with 1 additions and 53 deletions
--- a/salt/signal/README.md
+++ b/salt/signal/README.md
@ -40,17 +40,4 @@ sudo qubesctl state.apply signal.appmenus
 You may use different Signal accounts for different identities, such as
 personal, work or pseudonym. Maintain the `signal` qube pristine and clone it
-to the assigned domain, `personal-signal`, `work-signal`, `anon-signal`. If
+to the assigned domain, `personal-signal`, `work-signal`, `anon-signal`.
 you don't maintain the qube pristine, you will have to apply the firewall
 rules manually.
 Signal might loose connectivity due to [upstream rotating IP
 addresses](https://support.signal.org/hc/en-us/articles/360007320291) with the
 use of [CDNs to evade
 blocking](https://signal.org/blog/looking-back-on-the-front/).
 You will have to reapply the firewall rules eventually.
 TODO: Is it worth using the firewall? If you allow all [cloudfront.net
 IPs](https://ip-ranges.amazonaws.com/ip-ranges.json) for region "GLOBAL", what
 is blocking an attacker from using that to host his malicious callback server?
 Recently (2023-11-11) signal stopped working with the current firewall.
--- a/salt/signal/create.sls
+++ b/salt/signal/create.sls
@ -8,7 +8,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
  - .clone
  - .firewall
 {% load_yaml as defaults -%}
 name: tpl-{{ slsdotpath }}
@ -52,6 +51,3 @@ features:
  - menu-items: "signal-desktop.desktop qubes-open-file-manager.desktop qubes-run-terminal.desktop qubes-start.desktop"
 {%- endload %}
 {{ load(defaults) }}
 {% from 'utils/macros/sync-appmenus.sls' import sync_appmenus with context -%}
 {{ sync_appmenus('tpl-' ~ sls_path) }}
--- a/salt/signal/firewall.sls
+++ b/salt/signal/firewall.sls
@ -1,24 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 "{{ slsdotpath }}-firewall":
  cmd.run:
    - require:
      - qvm: {{ slsdotpath }}
    - name: |
        qvm-check -q --running -- {{ slsdotpath }} && qvm-pause -- {{ slsdotpath }}
        qvm-firewall -- {{ slsdotpath }} reset
        qvm-firewall -- {{ slsdotpath }} del --rule-no 0
        qvm-check -q --running -- {{ slsdotpath }} && qvm-unpause -- {{ slsdotpath }}
        qvm-firewall -- {{ slsdotpath }} add accept signal.org
        qvm-firewall -- {{ slsdotpath }} add accept storage.signal.org
        qvm-firewall -- {{ slsdotpath }} add accept chat.signal.org
        qvm-firewall -- {{ slsdotpath }} add accept cdn.signal.org
        qvm-firewall -- {{ slsdotpath }} add accept cdn2.signal.org
        qvm-firewall -- {{ slsdotpath }} add accept sfu.voip.signal.org
        qvm-firewall -- {{ slsdotpath }} add accept turn.voip.signal.org
        qvm-firewall -- {{ slsdotpath }} add accept turn2.voip.signal.org
        qvm-firewall -- {{ slsdotpath }} add accept turn3.voip.signal.org
--- a/salt/signal/firewall.top
+++ b/salt/signal/firewall.top
@ -1,10 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 base:
  'dom0':
    - match: nodegroup
    - signal.firewall
--- a/salt/signal/init.top
+++ b/salt/signal/init.top
@ -8,7 +8,6 @@ base:
  'dom0':
    - match: nodegroup
    - signal.create
    - signal.firewall
  'tpl-signal':
    - signal.install
  'signal':