Qubes sys-whonix does not do its job as Qubes FirewallVM

Continuing the discussion from Whonix with firewall rules?:

I don’t think we have tickets / release targets for that already. This is what we have for now.

sys-whonix as Qubes FirewallVM:
https://www.whonix.org/wiki/Dev/Qubes#sys-whonix_as_Qubes_FirewallVM

At 32c3 we’ve discussed moving to an qrexec based updates proxy also. I haven’t found a ticket for this yet, but all of the above influences when and how this should be fixed.

What’s your opinion, when and how this should be implemented? Any [other] tickets the block/influence this? @marmarek

Just to clarify, are you asking for my opinion or @marmarek’s? (I want to know @marmarek’s opinion too. )

Sorry. I am interested in any option. Just highlighting @marmarek so he is getting e-mail notifications as Marek may not have the whole Whonix forums subscribed since its generating lots of traffic. And because I am not sure anymore we discussed this at 32c3 and what we concluded.

Regarding firewall, the discussion outcome is here: Implement new firewall dom0->VM interface · Issue #1815 · QubesOS/qubes-issues · GitHub (actually message linked from there). The idea is to:

1. have updates proxy running over qrexec instead of TCP/IP, so template will not have its own netvm at all
2. ease integration of “qubes firewall rules” with other firewalls (like Whonix one)

So, those are two (related) things: default rules for the template, not enforced by Whonix (will be solved by “1”), and AppVM firewall rules generally when Whonix gateway is in use (“2” will ease solving it, but itself will not be enough).

• make sys-whonix function as Qubes FirewallVM

Information

ID: 476
PHID: PHID-TASK-eyd3k7irulhscifbq5hb
Author: Patrick
Status at Migration Time: invalid
Priority at Migration Time: Normal

Description

TODO:

make sys-whonix function as Qubes FirewallVM

Blocker:

Waiting for Qubes ticket Implement new firewall dom0->VM interface to be implemented.

Forum discussion:
https://forums.whonix.org/t/sys-whonix-does-not-yet-function-was-qubes-firewallvm

Comments

Patrick

2016-08-19 00:04:05 UTC

Information

ID: 466
PHID: PHID-TASK-gak2fvp3cfkuw6uwj2o3
Author: Patrick
Status at Migration Time: open
Priority at Migration Time: Normal

Description

TODO: make sys-whonix function as Qubes FirewallVM

Blocker:

Waiting for Qubes ticket Implement new firewall dom0->VM interface to be implemented.

Forum discussion:
https://forums.whonix.org/t/sys-whonix-does-not-yet-function-was-qubes-firewallvm (merged into this topic)

A sys-whonix currently does it’s job as a ProxyVM, but not as a FirewallVM. It currently ignores QubesDB qubes-iptables entries.

• Therefore, for example, any TemplateVM using sys-whonix as its NetVM does not block the TemplateVM from using the open (torified) internet. (T372) (That will be solved once set NetVM of TemplateVMs to none by default / make TemplateVMs non-networked by default gets implemented.)
• Additional firewall rules in 'Firewall rules’ tab are ignored.

Any suggestion on how to implement it without re-inventing qubes-core-agent-linux/network/qubes-firewall? Or refactoring the Qubes code so Whonix can just call the required portion of it?

Related:

• mechanism to hide Qubes VM Manager ‘Firewall rules’ tab

Comments

marmarek

2016-01-19 02:07:51 UTC

Patrick

2016-10-05 21:38:57 UTC

marmarek

2016-10-05 23:18:29 UTC

Patrick

2016-10-08 17:22:13 UTC

Related:

• Email-vm via sys-whonix but with fw rules - User Support - Qubes OS Forum

Since port to nftables as a replacement for iptables was completed, this ticket can now make progress. I plan to work on this one and will post updates here.

Documented the current state in the wiki:
https://www.whonix.org/wiki/Qubes/Firewall