Page MenuHomePhabricator
Create Task
Maniphest T502

prevent running /usr/lib/qubes/qubes-setup-dnat-to-ns in Qubes-Whonix to stop it from modifying firewall rules
Closed, ResolvedPublic
Actions

Description

Why?
Prevent it from modyfying Whonix firewall rules.

How is it started at the moment?
/usr/lib/qubes/qubes-setup-dnat-to-ns gets started through two ways.

  • 1)

qubes-network.service -> /usr/lib/qubes/init/network-proxy-setup.sh -> /usr/lib/qubes/qubes-setup-dnat-to-ns
No problem. qubes-whonix-network.service replaces qubes-network.service through a systemd alias.

  • 2)

qubes-misc-post.service -> /usr/lib/qubes/init/misc-post.sh -> /usr/lib/qubes/setup-ip -> /usr/lib/qubes/qubes-setup-dnat-to-ns

Spotted how?
While experimenting with blacklisting conntrack (T468), qubes-misc-post.service blocked forwever - which prevented qrexec from starting - we probably should add systemd timeouts to systemd units (?) - 'iptables-restore -n' did permanently fail to obtain a lock.

Solution
The easiest would be to config-package-dev displace /usr/lib/qubes/qubes-setup-dnat-to-ns with a dummy script in the qubes-whonix package. Does that sound good or is there a better solution?

Details

Impact
Normal

Related Objects

Event Timeline

Patrick created this task.Apr 23 2016, 6:13 PM
Herald added a project: Whonix. · View Herald TranscriptApr 23 2016, 6:13 PM
Herald added a subscriber: WhonixQubes. · View Herald Transcript
marmarek added a comment.Apr 23 2016, 8:46 PM

Yes, I think replacing /usr/lib/qubes/qubes-setup-dnat-to-ns is an option for now. It may not be required in Qubes 4.0, as we will simplify network layout. I think we'll manage to get rid of DNAT for DNS in ProxyVMs.

'iptables-restore -n' did permanently fail to obtain a lock

How is that possible? Isn't it iptables-restore bug?

Patrick added a comment.Apr 25 2016, 7:09 PM
In T502#8900, @marmarek wrote:

Yes, I think replacing /usr/lib/qubes/qubes-setup-dnat-to-ns is an option for now.

Will do.

'iptables-restore -n' did permanently fail to obtain a lock

How is that possible? Isn't it iptables-restore bug?

Also iptables --wait -t nat -F can never obtain a lock. I am no longer sure disabling the conntrack module is a sane idea. Even iptables --list causes the module to load. I saw a suggestion of disabling protocol specific parsers but not blacklisting the whole module. Perhaps the kernel is not well tested with such modules blacklisted.

Patrick changed the task status from Open to Review.Apr 25 2016, 7:41 PM

https://github.com/Whonix/qubes-whonix/commit/c0c3875c32c2f17358ef7e4a7cbb15ee48d8041d

Patrick closed this task as Resolved.Apr 26 2016, 3:04 PM
Patrick claimed this task.
Patrick added a comment.May 19 2016, 6:58 PM

https://github.com/adrelanos/vpn-firewall/commit/b1a77b8eb7fb28c2ad9ad394b5326673b9272398

Patrick updated the task description. (Show Details)Jul 11 2016, 3:44 PM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer