Page MenuHomePhabricator
Create Task
Maniphest T426

review /etc/xen/vif-route-qubes impact on Qubes-Whonix Firewall
Closed, ResolvedPublic
Actions

Description

Do you think there are situations, where [/etc/xen/vif-route-qubes](https://github.com/marmarek/qubes-core-agent-linux/blob/2eb0ed2be14350d6df1fce2af855805133a4a416/network/vif-route-qubes)'s use of [iptables-restore](https://github.com/marmarek/qubes-core-agent-linux/blob/2eb0ed2be14350d6df1fce2af855805133a4a416/network/vif-route-qubes#L57-L58) could interfere with Whonix's firewall?

Details

Impact
High

Related Objects

Event Timeline

Patrick created this task.Nov 11 2015, 8:51 PM
Patrick raised the priority of this task from to High.
Patrick updated the task description. (Show Details)
Patrick added projects: Qubes, Whonix 12, whonix-gw-firewall, whonix-ws-firewall.
Patrick set Impact to High.
Patrick added subscribers: Patrick, marmarek, nrgaway.
Herald added a project: Whonix. · View Herald TranscriptNov 11 2015, 8:51 PM
Herald added subscribers: WhonixQubes, troubadour. · View Herald Transcript
marmarek added a comment.Nov 11 2015, 10:49 PM

Depending what you mean by "interfere". In terms of rules itself - as
long as Whonix doesn't use "raw" table (I guess it doesn't), it
shouldn't be a problem. But some race condition making either of
iptables-restore call fail may be possible.
Theoretically iptables-restore is used instead of iptables exactly
to prevent such problem
(https://github.com/QubesOS/qubes-issues/issues/42), but it isn't clear
to me that it is really effective. We have flock in vif-route-qubes
because of this uncertainty. Maybe iptables --wait would be a better
option - now it is available in Debian too (>=jessie). But according to
iptables sources, I think iptables --wait still could race against
iptables-restore - the later doesn't use any locking.

What is Debian solution for such problem (different programs/startup
scripts adding iptables rules simultaneously)? The Fedora way is to use
firewalld...

Patrick added a comment.Nov 12 2015, 2:27 PM

marmarek (Marek Marczykowski-Górecki):

Depending what you mean by "interfere".

I mean by "interfere" here:
"Somehow loading firewall rules inappropriate to Whonix that could in
worst case lead to leaks."

as
long as Whonix doesn't use "raw" table (I guess it doesn't)

Whonix doesn't use the "raw" table indeed.

What is Debian solution for such problem (different programs/startup
scripts adding iptables rules simultaneously)?

Dunno if there is...

Asked on debian-users mailing list:
"Are there packages that modify iptables rules?"
https://lists.debian.org/debian-user/2015/11/msg00416.html

Answer for now:
fail2ban
miniupnpd

Asked a follow up question on debian-users mailing list:
"How do packages that modify iptables rules prevent race conditions?"
https://lists.debian.org/debian-user/2015/11/msg00418.html

marmarek added a comment.Nov 12 2015, 5:26 PM

Whonix doesn't use the "raw" table indeed.

So I think it is safe.

Asked a follow up question on debian-users mailing list:
"How do packages that modify iptables rules prevent race conditions?"
https://lists.debian.org/debian-user/2015/11/msg00418.html

But the answer for this question would be helpful for bugs like this:
https://github.com/QubesOS/qubes-issues/issues/1067
https://github.com/QubesOS/qubes-issues/issues/740

Patrick added a comment.Nov 13 2015, 5:44 PM
In T426#7104, @marmarek wrote:

Asked a follow up question on debian-users mailing list:
"How do packages that modify iptables rules prevent race conditions?"
https://lists.debian.org/debian-user/2015/11/msg00418.html

But the answer for this question would be helpful for bugs like this:
https://github.com/QubesOS/qubes-issues/issues/1067
https://github.com/QubesOS/qubes-issues/issues/740

There have been some answers.

Patrick closed this task as Resolved.Nov 13 2015, 5:45 PM
Patrick assigned this task to marmarek.

Thank you, Marek! Done. Closing.

Patrick mentioned this in T430: review enabling proxy arp impact on Qubes-Whonix Firewall.Nov 13 2015, 5:51 PM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer