From 030584f026ad316f591c5a739c8d4bf427f96495 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:50:05 +0200 Subject: [PATCH] dom0/core-firewall: firewall setting for qubes-yum-proxy (#568) New setting for access to qubes-yum-proxy. The difference from other firewall setting (and reason for new top-level setting): 'deny' is enforced even if policy is set to 'allow'. This proxy service is mainly used to filter network traffic, so do not expose it to VMs which can connect to any host directly (eg 'untrusted' VM). --- dom0/qvm-core/qubes.py | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index e7222140..b06f107a 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -106,6 +106,9 @@ qubes_appmenu_create_cmd = "/usr/lib/qubes/create_apps_for_appvm.sh" qubes_appmenu_remove_cmd = "/usr/lib/qubes/remove_appvm_appmenus.sh" qubes_pciback_cmd = '/usr/lib/qubes/unbind_pci_device.sh' +yum_proxy_ip = '10.137.255.254' +yum_proxy_port = '8082' + class QubesException (Exception) : pass if not dry_run: @@ -400,7 +403,7 @@ class QubesVm(object): shutil.copy(self.firewall_conf, "%s/backup/%s-firewall-%s.xml" % (qubes_base_dir, self.name, time.strftime('%Y-%m-%d-%H:%M:%S'))) self.write_firewall_conf({'allow': False, 'allowDns': False, - 'allowIcmp': False, 'rules': []}) + 'allowIcmp': False, 'allowYumProxy': False, 'rules': []}) else: new_netvm.connected_vms[self.qid]=self @@ -1167,7 +1170,8 @@ class QubesVm(object): "QubesFirwallRules", policy = "allow" if conf["allow"] else "deny", dns = "allow" if conf["allowDns"] else "deny", - icmp = "allow" if conf["allowIcmp"] else "deny" + icmp = "allow" if conf["allowIcmp"] else "deny", + yumProxy = "allow" if conf["allowYumProxy"] else "deny" ) for rule in conf["rules"]: @@ -1213,7 +1217,7 @@ class QubesVm(object): return os.path.exists (self.firewall_conf) def get_firewall_conf(self): - conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True } + conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True, "allowYumProxy": False } try: tree = xml.etree.ElementTree.parse(self.firewall_conf) @@ -1222,6 +1226,7 @@ class QubesVm(object): conf["allow"] = (root.get("policy") == "allow") conf["allowDns"] = (root.get("dns") == "allow") conf["allowIcmp"] = (root.get("icmp") == "allow") + conf["allowYumProxy"] = (root.get("yumProxy") == "allow") for element in root: rule = {} @@ -1969,7 +1974,7 @@ class QubesProxyVm(QubesNetVm): if vm.has_firewall(): conf = vm.get_firewall_conf() else: - conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True } + conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True, "allowYumProxy": False } xid = vm.get_xid() if xid < 0: # VM not active ATM @@ -2012,6 +2017,10 @@ class QubesProxyVm(QubesNetVm): iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.secondary_dns) if conf["allowIcmp"]: iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip) + if conf["allowYumProxy"]: + iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port) + else: + iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port) iptables += "-A FORWARD -s {0} -j {1}\n".format(ip, default_action) iptables += "COMMIT\n"