Qubes sys-whonix does not do its job as Qubes FirewallVM
Open, NormalPublic
Actions

Assigned To

None

Authored By

	Patrick
	Jan 19 2016, 1:22 AM

Description

TODO:

make sys-whonix function as Qubes FirewallVM

~~Blocker:~~

~~Waiting for Qubes ticket Implement new firewall dom0->VM interface to be implemented.~~

Forum discussion:
https://forums.whonix.org/t/sys-whonix-does-not-yet-function-was-qubes-firewallvm

A sys-whonix currently does it's job as a ProxyVM, but not as a FirewallVM. It currently ignores QubesDB qubes-iptables entries.

Therefore, for example, any TemplateVM using sys-whonix as its NetVM does not block the TemplateVM from using the open (torified) internet. (T372) (That will be solved once set NetVM of TemplateVMs to none by default / make TemplateVMs non-networked by default gets implemented.)
Additional firewall rules in 'Firewall rules' tab are ignored.

Any suggestion on how to implement it without re-inventing qubes-core-agent-linux/network/qubes-firewall? Or refactoring the Qubes code so Whonix can just call the required portion of it?

mechanism to hide Qubes VM Manager 'Firewall rules' tab

Details

Impact: Normal

Related Objects

Mentioned In: T476: make sys-whonix function as Qubes FirewallVM
T372: Qubes-Whonix Whonix-Workstation TemplateVMs block access to (torified) open internet
Mentioned Here: T372: Qubes-Whonix Whonix-Workstation TemplateVMs block access to (torified) open internet

Event Timeline

Patrick created this task.Jan 19 2016, 1:22 AM

Patrick raised the priority of this task from to Normal.

Patrick updated the task description. (Show Details)

Patrick added projects: Qubes, Whonix 14, whonix-gw-firewall.

Patrick set Impact to Normal.

Patrick added subscribers: Patrick, marmarek, nrgaway and 2 others.

Herald added a project: Whonix. · View Herald TranscriptJan 19 2016, 1:22 AM

Herald added a subscriber: • WhonixQubes. · View Herald Transcript

Not sure if worth it. But if it does, lets finish Qubes firewall dom0->VM interface and Qubes Firewall - Add rules to QBS-prefixed chain first. It would be much easier to integrate qubes-firewall with some other firewall scripts.

Patrick updated the task description. (Show Details)Aug 15 2016, 10:37 PM

Patrick mentioned this in T372: Qubes-Whonix Whonix-Workstation TemplateVMs block access to (torified) open internet.

Patrick updated the task description. (Show Details)Aug 19 2016, 12:03 AM

Patrick mentioned this in T476: make sys-whonix function as Qubes FirewallVM .

In T466#8003, @marmarek wrote:

Related to: mechanism to hide Qubes VM Manager 'Firewall rules' tab

Not sure if worth it. But if it does, lets finish Qubes firewall dom0->VM interface and Qubes Firewall - Add rules to QBS-prefixed chain first. It would be much easier to integrate qubes-firewall with some other firewall scripts.

Just noticed Qubes firewall dom0->VM interface is done. Qubes Firewall - Add rules to QBS-prefixed chain not yet. I guess the latter will come soon?

So this feature could still make it into Whonix 14.

Actually the later is also done (slightly differently - see my comment there).
Default static firewall (blocking INPUT etc) still uses iptables, but it doesn't matter on Whonix, since it uses its own version. Dynamic part (qubes-firewall service) use nftables (when installed) and should not interfere with other firewall rules.

For tracking purposes... This still has to wait until Qubes 4.0 since
[Qubes firewall dom0->VM interface](Qubes firewall dom0->VM interface)
will come in Qubes 4.0?

Patrick added a project: iptables.Feb 5 2017, 2:34 PM

Patrick edited projects, added Whonix 15; removed Whonix 14.Mar 14 2017, 8:25 PM

Patrick removed a project: Whonix 15.Dec 7 2018, 11:04 AM

Patrick updated the task description. (Show Details)Feb 18 2019, 8:30 AM

Qubes sys-whonix does not do its job as Qubes FirewallVMOpen, NormalPublicActions

Description

Details

Related Objects

Event Timeline

Qubes sys-whonix does not do its job as Qubes FirewallVM
Open, NormalPublic
Actions