Corridor Setup Question

whonix8573 · October 15, 2024, 7:34am

I was reading about corridor and am wondering if this is still useful (corridor wiki is old). IMO you can do the same thing with the qubes firewall cli and the setup below (assuming you are using obfs4 bridges):

sys-net → sys-firewall → sys-whonix

qvm-firewall sys-firewall del --rule-no 0
qvm-firewall sys-firewall add drop
qvm-firewall sys-firewall add --before 0 drop proto=icmp
qvm-firewall sys-firewall add --before 0 drop specialtarget=dns
qvm-firewall sys-firewall add --before 0 accept IP_ADDRESS_BRIDGE_1
qvm-firewall sys-firewall add --before 0 accept IP_ADDRESS_BRIDGE_2
qvm-firewall sys-firewall list

I tested this solution and works fine. Tor control panel is stuck at 5% using entry guards (connection failed) and back to 100% using the whitelisted bridges. Is this setup ok?

Patrick · October 15, 2024, 9:47am

What does this do?

Why is this needed?

See also:

whonix8573 · October 15, 2024, 11:00am

It deletes default rule 0 to accept all traffic (assuming is a new firewall VM with no additional firewall rules configured)

Probably not needed, but since corridor is a fail-safe to protect against potential leaks, better safe than sorry (when I used sys-vpn I configured the firewall the same way). By default, qubes firewall doesn’t block DNS or ICMP traffic.

I think this setup is easier than enabling Qubes Firewall Tab for Qubes-Whonix (it is Advanced users only and does not survive upgrade of the qubes-whonix package)

Patrick · October 15, 2024, 12:21pm

This is unrelated here. Actually will survive update because that was fixed in git.

Where did you read that this is required?

Shouldn’t it be either corridor or Qubes firewall? Because 1 replaces to other.

Do you mean blocking DNS / ICMP to the white listed address?

Or white listed address but DNS / ICMP would still be generally allowed?

whonix8573 · October 15, 2024, 2:08pm

It is considered by many to be best practice to delete all firewall rules before writing new rules (same way in Debian you do “ufw --force reset”). Not required, but helpful.

Yes, only one (see above). I named the VM sys-firewall but you can name it whatever you want (e.g., sys-whonix-firewall). The thing is to put a firewall VM (clone or create a new one) before sys-whonix and configure the above firewall rules in that firewall VM.

I understand corridor was designed to protect against potential leaks in Whonix workstation. This includes Ping and DNS leaks. To replace Corridor with another Firewall VM you cannot use the QVMM Firewall Tab Settings to configure rules (as recommended in the above linked wiki) you will not be protected, you must use the qubes firewall cli, otherwise DNS / ICMP would still be generally allowed.

Hope it is clear now. Any thoughts?

Patrick · October 16, 2024, 6:41am

I guess the advantage of corridor is that is makes violations known in logs while using Qubes firewall simply blocks it if it ever was to happen.

I would be careful about this in context of Qubes. → Verify Changed Firewall Rules

If this is really useful, that seems at least like a usability issue. Please check that this has been reported anywhere and if not I suggest a to write a report to make sure you’re on the right track here.

Ok. So no corridor involved here.

How about blocking all UDP?

What about IPv6?

related: add IPv6 support

whonix8573 · October 16, 2024, 2:59pm

This rule has been reported here and confirmed by unman “These are good”. OP also turns on the disable-dns-server service (qvm-service sys-firewall-VM disable-dns-server on).

https://groups.google.com/g/qubes-users/c/BVEHpukTjzk

All traffic should be blocked with the above firewall rules. If ipv6 is a concern just type this: qvm-features sys-firewall-VM ipv6 “”

github.com/QubesOS/qubes-issues

Changing firewall rules does not block already-established connections

opened 11:27PM - 24 Jul 18 UTC

t4777sd

T: enhancement help wanted C: manager/widget ux P: default

I know this is going to sound crazy, but I have tested it on various VMs with fr…eshly installed templates provided from Qubes with freshly cloned AppVMs and it is reproducible. ### Qubes OS version: 4.0 ### Affected component(s): sys-firewall I assume ### Steps to reproduce the behavior: 1. Download / install default fedora28 templates via the qubes-update command 2. Assign sys-net, sys-firewall, and an appVM to the freshly installed fedora28 template 3. In the AppVM: open up firefox and browse the web. Open the browser to reddit.com, and it will be working. Keep reddit.com open 4. In the AppVM Qubes Configure: go to Firewall tab and click "Limit outgoing connects to ..." and Apply 5. Continue browser reddit.com. **You will observe that reddit.com still is browsable** 6. Open up a new Tab and go to another domain such as ford.com or whatever. **This request will be blocked** 7. Open the terminal in the AppVM. Type ping reddit.com and **addresses can still ping** 8. Go back to Qubes firewall config and configure it to allow otugoing connections 9. Reload the previously blocked ford.com and it will work now ### Expected behavior: All internet should be cut from the VM. That includes previously connected IP addresses, future connected IP addresses, and different internet protocols ### Actual behavior: Previously connected IPs not blocked. Only HTTP/HTTPS traffic to new IPs is blocked.

github.com/QubesOS/qubes-issues

Firewall restrictions through GUI don't affect ping

opened 04:21PM - 26 Jan 24 UTC

emanruse

T: bug C: manager/widget C: doc ux P: default needs diagnosis C: networking affects-4.1 affects-4.2

### Qubes OS release 4.1.x 4.2 ### Brief summary Restricting the n…etwork connectivity of a qube through the Firewall tab in qube's GUI settings does not restrict `ping` - one can ping any host from the qube. Restrict default ping to selected hosts if "Limit outgoing connections" is active. Make it user configurable through the GUI. ### Steps to reproduce 1. For some qube, open Firewall rules tab in the Settings GUI 2. Click the "+" button to add a new rule 3. Set Address = example.com Protocol = Any Port/Service - leave it as is (i.e. Any) 4. Start a terminal in the qube and run: ``` ping example.com ping fsf.org ``` ### Expected behavior Only ping to example.com should be possible. (because Protocol = any, Port/Service = any) ### Actual behavior It is possible to ping any host.

But I would like feedback on the above setup. Is anything else needed to block DNS leaks (i.e: disable-dns-server, or any other rule)?

Patrick · October 17, 2024, 7:52am

2021, old version of Qubes, still using iptables instead of nftables, not specifically talking about qvm-firewall sys-firewall del --rule-no 0. → Not a strong enough source.

What kind of ports are required by Whonix is documented here:

Other than that, this is primarily a Qubes specific question. Whonix doesn’t influence the Net qube (firewall VM) it is connected to. No VM does. If it would, that would be a Qubes design bug.

The question is:

How to restrict connections of a VM to specific IPs only in Qubes?

Best to resolve as per Self Support First Policy for Whonix.