On virsh... Whonix-External, Failed to apply firewall rules

markolind · May 28, 2020, 8:00pm

Following the guide:
( the main KVM guide on this domain, newbie, can’t yet post links )

all appears to have gone well, up to:
( that same main KVM guide on this domain )
#Importing_Whonix_.E2.84.A2_VM_Templates

More precisely, the first lines went fine:

virsh -c qemu:///system net-define Whonix_external_network-15.0.0.8.7.xml
virsh -c qemu:///system net-define Whonix_internal_network-15.0.0.8.7.xml
virsh -c qemu:///system net-autostart Whonix-External

But I get the following error at:

virsh -c qemu:///system net-start Whonix-External

error: Failed to start network Whonix-External
error: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --insert LIBVIRT_INP --in-interface virbr1 --protocol tcp --destination-port 67 --jump ACCEPT: iptables: No chain/target/match by that name.

In the /var/log/syslog, at the time that failing command is issued, I find:

2020-05-28T19:07:00.892332+00:00 thehost kernel: [11657.591323] virbr1: port 1(virbr1-nic) entered blocking state
2020-05-28T19:07:00.892362+00:00 thehost kernel: [11657.591326] virbr1: port 1(virbr1-nic) entered disabled state
2020-05-28T19:07:00.892366+00:00 thehost kernel: [11657.591586] device virbr1-nic entered promiscuous mode
2020-05-28T19:07:01.106297+00:00 thehost kernel: [11657.805192] device virbr1-nic left promiscuous mode
2020-05-28T19:07:01.106314+00:00 thehost kernel: [11657.805196] virbr1: port 1(virbr1-nic) entered disabled state

Of course, no virbr1 to be found:

# brctl show

bridge name     bridge id               STP enabled     interfaces
virbr0          8000.525400b0af6a       yes             virbr0-nic

That’s just the default libvirt’s virbr0.

Similarly, I couldn’t start:

virsh -c qemu:///system net-start Whonix-Internal

Same error, just 's/virbr1/virbr2' . Also for the logs, which are same, except for 's/virbr1/virbr2' and time is some 10 minutes later.

There are even scary suggestions what that might be:
(lnewbie, can’t yet post links, but it’s on experts-exchange commercial domain )

I sometimes do tcpdump’ing, however, at the exact time of the failing command above, I wasn’t capturing traffic. So…

What could this be? How should I proceed here towards a solution?

markolind · May 29, 2020, 6:29am

A mail server guy there posted that he had:

Apr 15 00:21:40 mail kernel: [383546.156569] device eth1 entered promiscuous mode
Apr 15 00:55:47 mail kernel: [385596.344128] device eth1 left promiscuous mode
Apr 15 13:21:55 mail kernel: [430436.382364] device eth1 entered promiscuous mode
Apr 15 13:26:27 mail kernel: [430709.031522] device eth1 left promiscuous mode

which is fairly similar to my issue. An expert there replied:

Typically the card enters promiscuous mode when a traffic sniffer (tcpdump, snort, etc…) is being used. It is almost impossible from the information we have to tell you exactly what is causing it.

It looks like the name of your server is “mail” which leads me to believe it is a mail server of some sort. There is no reason to have promiscuous mode for mail exchange.

I do not want to scare you, but this can also be a sign of some unwanted folks on your system. It wouldn’t be the first time I have seen a compromised system be used to “discover” what is around it.

That’s pretty much all to be available over Tor on that com domain.

It actually does look suspect to me.

In which case this would not be an issue directly related to Whonix, but rather a network intrusion issue.

In which case, still hope it’s not that bad scenario.

I’ll appreciate any opinion, suggestion, ideas here: how should I proceed to examine my network here, and the inability of libvirt to create virbr1 and virbr2 without those devices entering blocking state and then going promiscuos and then disabled.…

markolind · May 29, 2020, 6:33am

This is the sorce (can’t post links yet, so pls. do sed 's$_$/$g' on the below and add http s //: ,witout blanks, at start, to get the link):

www.experts-exchange.com_questions_28657027_What-is-promiscuous-mode-and-why-is-eth1-entering-it.html

Such as:

 echo www.experts-exchange.com_questions_28657027_What-is-promiscuous-mode-and-why-is-eth1-entering-it.html | sed  's$_$/$g'

and the start is the regular https and : and two slashes.

Again, maybe not at all a Whonix issue --what normal reason can there be for the virbr1 / virbr2 to cycle blocking / promiscuos / disabled states?-- but will appreciate opinion on this, and how to examine my system and in which way to test the network on this…

Thanks!

HulaHoop · June 2, 2020, 1:30pm

This error is related to a buggy libvirt version that has since been fixed. Either update to a newer version on your rolling distro or switch to one that is more stable.

https://www.redhat.com/archives/libvirt-users/2019-October/msg00024.html

markolind · July 14, 2020, 3:58pm

I replied to you yesterday, via email, i.e. the discourse should have taken it here. But it seem not to have got through, as I do not see it here.

Thanks! I’m looking into it!

HulaHoop · July 14, 2020, 8:24pm

Great. Let me know. I think the remailer is not responding anymore because I got a delivery failure also.

markolind · July 15, 2020, 6:11am

And I thought it was Tor having difficulty getting through.
BTW, I didn’t know you have V3 onion service, until I stumbled on it skimming through the mail from you…
And only once I opened
http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/
did my TorBrowser start showing it to me on the right to the address bar… (which is a TorBrowser issue, I’d expect).

Still digressing, but back to the discourse issue. I also replied, two mails, to this topic:
http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/whonix-moving-from-github-to-gitlab/9676
And I’ll don’t see them there. I’ll try and see if I can manually post them, and if it might in debugging discourse, I can privately show you the mails, because I did get back replies from whonix.org:

Return-Path: discoursereplies+verp-8aff2237b185dbde4e9ec950b1c02d98@whonix.org

and

Return-Path: discoursereplies+verp-22c4426dea458a0669e49f438d175beb@whonix.org

HulaHoop · July 15, 2020, 1:02pm

Maybe. I’m running TBB stable and I see the “.onion available” in the address bar everytime I visit

cc/ @Patrick about the mailer

Patrick · July 16, 2020, 9:56am

For mailer please open a separate thread.

markolind · August 31, 2020, 9:23pm

I want to get back to the topic of firewall rules that failed to apply for Whonix.
I want to explain what I was trying to achieve, and why it couldn’t work.
As I wrote a while ago, in the other topic, which I hope will be tollerated (it’s a little outside the “website” forum section scope):
http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/download-torbrowser-via-onion/10178
I now likely can install Whonix.

So why I couldn’t previously? I had, way before, found this:

Blocking all local outbound non-Tor traffic with iptables

which is instructions that truly use iptables in such way that nothing escapes from your machine, nor enters, other than Tor traffic, and only Tor traffic.

That page is worth saving, because there have been some developments within TorProject, such as moving away from hidden services for a few important services such as that wiki and bug tracker, and such as also the downloading of the very torbrowser. That, it appears to me, is not anymore possible via hidden service, but only via clearnet (see the first link above for that)… So that page might also might disappear…

And, for the lack of time to do the Whonix install the way I wish, with complete understanding, I kept, when I would find time, as I have other obligations, trying to install and run libvirt in such environment, where actually only Tor traffic is possible…

Sure, that can’t happen… Libvirt, necessary for the KVM-flavor of Whonix install, needs freedom on the OUTPUT of iptables. Libvirt can’t be made to work if the only allowed user that can use OUTPUT is debian-tor, or tbb-tor (pls. see the linked page on the Tor wiki that’s going away)…

Controling of my machine was easy with that iptables setup, the only attacks really were against the Tor network, not against my machine directly.

And now I wonder which way to tread to get me a good iptables setup for Libvirt, which will be safe enough, but which will also allow Libvirt sufficient freedom, for the Whonix to work.

That’s not a simple understanding that is needed, I bet you’ll agree.

I really only wanted to explan that.

Regards to all the readers, and esp. Whonix developers.

HulaHoop · September 1, 2020, 12:47pm

You are making things needlessly complicated and interfering with the normal vanilla install of libvirt. Revert these firewall rules and try installing Whonix again. We have plans to properly block all non-tor traffic on the upcoming Whonix Host.

markolind · September 1, 2020, 2:01pm

Thanks for looking this up.
But I know that it can’t work that way for Libvirt, actually I also wrote just that.
And I also wrote about having other obligations. And how I want to do it really right… And that means get a really good iptables setup for Whonix. Not easy, is it? So…

Because also, looking at the state of Tor deployment, esp. for readers unaware of this:
https://medium.com/@nusenu/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac
which is actually a censored topic. And I can prove what I just wrote, to you @HulaHoop, or @tempest , or @Patrick, if you wish.
There were other replies to:
[tor-talk] >600 Tor relays without ContactInfo and similar properties
https://lists.torproject.org/pipermail/tor-talk/2020-August/045638.html
and some, I can prove that, are still waiting for moderator’s approval, for days and days.
Given that, given how Vanguards is still undeployed[*], although it’s the real cure for many attacks on Tor… Three hops suffices for anonimity? Given the nusenu’s findings… C’mon!

So I want to do it right, I don’t mind how long I will research it, before I do it, in the free time I can dedicate to Whonix… I want real anonimity/psudonimity.

Pls. also have a look at the other topic, that I’ll reply to you next, with some interesting finding, that you, and other advanced users can check.

[*] The remarkable Tor dev Mike Perry is not anymore on the TorProject’s people list… And probably not financed for Vanguards development…

Patrick · September 2, 2020, 9:31am

Certainly not easy to basically invent Whonix-Host.

markolind · September 2, 2020, 8:10pm

First, I apologize for the delay. Can only use the free time I have available.

I think I see what you mean.

This is my problem: I want to understand what I will be using, your baby, this Whonix. And it is very demanding.

I might have a laugh at myself in unclearly how distant future, when I finally install Whonix, who knows.

However, the browsing system with Tor (and Vanguards, which I use on Debian Tor, and on TorBrowser as well) with UID-based Iptables is very safe.

OTOH, the understanding of how Whonix Gateway does the netfiltering stuff is not within my easy grasp, given the complexity of Libvirt it installs in.

Pls. have patience with such a slow adopter that I am. Time will tell more, and maybe good stuff will be. I hope and I wish.

Thank you for you consideration.

Patrick · September 3, 2020, 9:18am

Blocks based on user debian-tor. That won’t work in case of using VMs. How to run Tor in a VM and then allow only that VM (or only Tor traffic) (really Tor, not user debian-tor) on the host is yet to be invented as per:
Whonix-Host KVM Firewall