dom0/core-firewall: firewall setting for qubes-yum-proxy (#568)
New setting for access to qubes-yum-proxy. The difference from other firewall setting (and reason for new top-level setting): 'deny' is enforced even if policy is set to 'allow'. This proxy service is mainly used to filter network traffic, so do not expose it to VMs which can connect to any host directly (eg 'untrusted' VM).
This commit is contained in:
parent
edc3518ec9
commit
030584f026
@ -106,6 +106,9 @@ qubes_appmenu_create_cmd = "/usr/lib/qubes/create_apps_for_appvm.sh"
|
|||||||
qubes_appmenu_remove_cmd = "/usr/lib/qubes/remove_appvm_appmenus.sh"
|
qubes_appmenu_remove_cmd = "/usr/lib/qubes/remove_appvm_appmenus.sh"
|
||||||
qubes_pciback_cmd = '/usr/lib/qubes/unbind_pci_device.sh'
|
qubes_pciback_cmd = '/usr/lib/qubes/unbind_pci_device.sh'
|
||||||
|
|
||||||
|
yum_proxy_ip = '10.137.255.254'
|
||||||
|
yum_proxy_port = '8082'
|
||||||
|
|
||||||
class QubesException (Exception) : pass
|
class QubesException (Exception) : pass
|
||||||
|
|
||||||
if not dry_run:
|
if not dry_run:
|
||||||
@ -400,7 +403,7 @@ class QubesVm(object):
|
|||||||
shutil.copy(self.firewall_conf, "%s/backup/%s-firewall-%s.xml"
|
shutil.copy(self.firewall_conf, "%s/backup/%s-firewall-%s.xml"
|
||||||
% (qubes_base_dir, self.name, time.strftime('%Y-%m-%d-%H:%M:%S')))
|
% (qubes_base_dir, self.name, time.strftime('%Y-%m-%d-%H:%M:%S')))
|
||||||
self.write_firewall_conf({'allow': False, 'allowDns': False,
|
self.write_firewall_conf({'allow': False, 'allowDns': False,
|
||||||
'allowIcmp': False, 'rules': []})
|
'allowIcmp': False, 'allowYumProxy': False, 'rules': []})
|
||||||
else:
|
else:
|
||||||
new_netvm.connected_vms[self.qid]=self
|
new_netvm.connected_vms[self.qid]=self
|
||||||
|
|
||||||
@ -1167,7 +1170,8 @@ class QubesVm(object):
|
|||||||
"QubesFirwallRules",
|
"QubesFirwallRules",
|
||||||
policy = "allow" if conf["allow"] else "deny",
|
policy = "allow" if conf["allow"] else "deny",
|
||||||
dns = "allow" if conf["allowDns"] else "deny",
|
dns = "allow" if conf["allowDns"] else "deny",
|
||||||
icmp = "allow" if conf["allowIcmp"] else "deny"
|
icmp = "allow" if conf["allowIcmp"] else "deny",
|
||||||
|
yumProxy = "allow" if conf["allowYumProxy"] else "deny"
|
||||||
)
|
)
|
||||||
|
|
||||||
for rule in conf["rules"]:
|
for rule in conf["rules"]:
|
||||||
@ -1213,7 +1217,7 @@ class QubesVm(object):
|
|||||||
return os.path.exists (self.firewall_conf)
|
return os.path.exists (self.firewall_conf)
|
||||||
|
|
||||||
def get_firewall_conf(self):
|
def get_firewall_conf(self):
|
||||||
conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True }
|
conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True, "allowYumProxy": False }
|
||||||
|
|
||||||
try:
|
try:
|
||||||
tree = xml.etree.ElementTree.parse(self.firewall_conf)
|
tree = xml.etree.ElementTree.parse(self.firewall_conf)
|
||||||
@ -1222,6 +1226,7 @@ class QubesVm(object):
|
|||||||
conf["allow"] = (root.get("policy") == "allow")
|
conf["allow"] = (root.get("policy") == "allow")
|
||||||
conf["allowDns"] = (root.get("dns") == "allow")
|
conf["allowDns"] = (root.get("dns") == "allow")
|
||||||
conf["allowIcmp"] = (root.get("icmp") == "allow")
|
conf["allowIcmp"] = (root.get("icmp") == "allow")
|
||||||
|
conf["allowYumProxy"] = (root.get("yumProxy") == "allow")
|
||||||
|
|
||||||
for element in root:
|
for element in root:
|
||||||
rule = {}
|
rule = {}
|
||||||
@ -1969,7 +1974,7 @@ class QubesProxyVm(QubesNetVm):
|
|||||||
if vm.has_firewall():
|
if vm.has_firewall():
|
||||||
conf = vm.get_firewall_conf()
|
conf = vm.get_firewall_conf()
|
||||||
else:
|
else:
|
||||||
conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True }
|
conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True, "allowYumProxy": False }
|
||||||
|
|
||||||
xid = vm.get_xid()
|
xid = vm.get_xid()
|
||||||
if xid < 0: # VM not active ATM
|
if xid < 0: # VM not active ATM
|
||||||
@ -2012,6 +2017,10 @@ class QubesProxyVm(QubesNetVm):
|
|||||||
iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.secondary_dns)
|
iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.secondary_dns)
|
||||||
if conf["allowIcmp"]:
|
if conf["allowIcmp"]:
|
||||||
iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip)
|
iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip)
|
||||||
|
if conf["allowYumProxy"]:
|
||||||
|
iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port)
|
||||||
|
else:
|
||||||
|
iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port)
|
||||||
|
|
||||||
iptables += "-A FORWARD -s {0} -j {1}\n".format(ip, default_action)
|
iptables += "-A FORWARD -s {0} -j {1}\n".format(ip, default_action)
|
||||||
iptables += "COMMIT\n"
|
iptables += "COMMIT\n"
|
||||||
|
Loading…
Reference in New Issue
Block a user