Page MenuHomePhabricator
Feed Advanced Search

Feb 23 2018

Patrick closed T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log) as Resolved.
Feb 23 2018, 2:41 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix

Feb 4 2018

Patrick added a project to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log): Whonix 14.
Feb 4 2018, 4:11 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix

Oct 1 2016

Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Also with 64bit compatibility this means the repo paths have changed.

Oct 1 2016, 5:31 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Yes it can stay as it is.

Oct 1 2016, 5:10 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix

Sep 30 2016

Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

That's great! So https://github.com/Whonix/whonix-gw-network-conf/blob/master/etc/network/interfaces.d/30_non-qubes-whonix can stay as is?

Sep 30 2016, 11:24 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Great news! This config works without hacks. You can keep 10.0.2.15 unchanged too. Turns out the gateway ip address was just called "ip address"...

Sep 30 2016, 9:36 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

No idea. But we should probably stay on the subnet we have.

Sep 30 2016, 5:05 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

OK I will try route but I need some help with commands.

Sep 30 2016, 4:58 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Seems like an awful hack. Last resort. If it somehow by some update (by ifupdown) is run after ifupdown, it breaks connectivity.

Sep 30 2016, 3:24 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

We're using ConditionVirtualization=kvm elsewhere already.(shared-folder-help systemd unit file) Should be doable to reuse it for the route command also.

Sep 30 2016, 5:19 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix

Sep 29 2016

Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

We're using ConditionVirtualization=kvm elsewhere already.
(shared-folder-help systemd unit file) Should be doable to reuse it for
the route command also.

Sep 29 2016, 11:03 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Can you redirect these packages using route? (Try in a Debian VM first to exclude Whonix firewall from interfering.)

Sep 29 2016, 10:41 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Can you redirect these packages using route? (Try in a Debian VM first to exclude Whonix firewall from interfering.)

Sep 29 2016, 7:33 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

A very ugly hack:

Sep 29 2016, 3:20 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Then we have reached an impasse because nothing I can put in the network configuration can change the gateway IP. Its not KVM's fault as its the norm to have gateway IPs of x.x.x.1 for a given subnet. Because some idiot on the VBox team chose .2 compatibility is impossible.

Sep 29 2016, 2:42 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

address 10.0.2.128
netmask 255.255.255.0

Sep 29 2016, 5:17 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).
address 10.0.2.128
netmask 255.255.255.0
gateway 10.0.2.1
Sep 29 2016, 3:10 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Looks like libvirt supports a gateway= keyword. Does that work?

Sep 29 2016, 2:50 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Looks like libvirt supports a gateway= keyword. Does that work?

Sep 29 2016, 2:31 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

address 10.0.2.15
netmask 255.255.252.0

Sep 29 2016, 2:28 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Various documentation changes:

Sep 29 2016, 1:45 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

These steps were not needed at all. Once I selected non-conflicting settings everything worked. Some changes to the netmask and gateway will need to be made to interfaces.d

Sep 29 2016, 1:42 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix

Sep 28 2016

Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

I doubt it is possible to successfully use a dhcp client with raw sockets disabled. It may be possible to develop such a thing in theory, but I don't think it exists.

Sep 28 2016, 7:03 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

What I meant was subnet range using the CIDR calculator:

Sep 28 2016, 6:44 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Same as VirtualBox.

Sep 28 2016, 5:10 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

My mistake I was not clear. By network configuration I mean yet another XML to create a new separate network as an alternative to "default" (like how I do it now with whonix internal network for KVM). It has nothing to do with GW files at all. No changes have to be made there.

Sep 28 2016, 3:58 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

192... will be a huge generator of FUD "conflicts with my router". Long time ago we moved away from that exactly for that reason.

Sep 28 2016, 12:19 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix

Sep 27 2016

HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

So can we move to something static in the 192.168.122.2 - 192.168.122.254 range (depends on VBox choking or not) or should I include another network file with the whonix-libvirt package?

Sep 27 2016, 5:59 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).
By working you mean in multi-GW usecase too?
Sep 27 2016, 4:28 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Can you emulate these changes, use that static IP?

Sep 27 2016, 5:29 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Can you emulate these changes, use that static IP? What will need changes? KVM documentation?

Sep 27 2016, 1:21 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

With libvirt a user can create another NAT network besides the default - with the same IP range. So another GW would have its own dedicated NAT without conflicts.

Sep 27 2016, 12:57 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix

Sep 26 2016

Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Switched to static network configuration.

Sep 26 2016, 8:52 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added projects to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log): VirtualBox, KVM, Physical Isolation.
Sep 26 2016, 8:41 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added a project to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log): whonix-gw-network-conf.
Sep 26 2016, 8:41 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix

Sep 25 2016

HulaHoop renamed T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log) from Removing DHCPClient from GW (was: Netstat Gateway log) to Securing/Removing DHCPClient from GW (was: Netstat Gateway log).
Sep 25 2016, 2:21 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

To check if this measure works show all raw sockets on system:

Sep 25 2016, 2:19 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop renamed T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log) from Netstat Gateway log to Removing DHCPClient from GW (was: Netstat Gateway log).
Sep 25 2016, 6:43 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Confirmed. You are right that it uses raw sockets which do bypass iptables. For the record Shellshock directly affected dhcpclient. I think something this dangerous should be ripped out then questions asked later if it doesn't completely break things.

Sep 25 2016, 6:42 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Do you know what happens if no clients listed in ifupdown are installed?

Sep 25 2016, 5:53 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

The way it is called influences our options to replace it.

Sep 25 2016, 4:11 AM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix

Sep 24 2016

Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

A question I thought that @HulaHoop asked. (Because I confused myself in T239#10445.)

Sep 24 2016, 3:33 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix

Sep 23 2016

Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).
Sep 23 2016, 8:20 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Even a functional /etc/resolv.conf on Whonix-Gateway would not be scary. As long as there is no local Tor DnsPort, it wont work.

Sep 23 2016, 8:19 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
HulaHoop added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Perhaps its not a problem:

Sep 23 2016, 7:51 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick added a comment to T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log).

Tor port 5300 is easily answered. It's Tor's DnsPort.

Sep 23 2016, 5:38 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick edited projects for T559: Securing/Removing DHCPClient from GW (was: Netstat Gateway log), added: anon-gw-dhcp-conf; removed whonix-gw-network-conf.
Sep 23 2016, 5:13 PM · Whonix 14, Physical Isolation, KVM, VirtualBox, whonix-gw-network-conf, anon-gw-dhcp-conf, research, Whonix
Patrick created anon-gw-dhcp-conf.
Sep 23 2016, 5:12 PM