dom0/core-firewall: firewall setting for qubes-yum-proxy (#568)

New setting for access to qubes-yum-proxy. The difference from other firewall setting (and reason for new top-level setting): 'deny' is enforced even if policy is set to 'allow'. This proxy service is mainly used to filter network traffic, so do not expose it to VMs which can connect to any host directly (eg 'untrusted' VM).
2012-05-31 02:50:05 +02:00 · 2012-05-31 02:50:05 +02:00 · 030584f026
commit 030584f026
parent edc3518ec9
1 changed files with 13 additions and 4 deletions
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@ -106,6 +106,9 @@ qubes_appmenu_create_cmd = "/usr/lib/qubes/create_apps_for_appvm.sh"
 qubes_appmenu_remove_cmd = "/usr/lib/qubes/remove_appvm_appmenus.sh"
 qubes_pciback_cmd = '/usr/lib/qubes/unbind_pci_device.sh'
 yum_proxy_ip = '10.137.255.254'
 yum_proxy_port = '8082'
 class QubesException (Exception) : pass
 if not dry_run:
@ -400,7 +403,7 @@ class QubesVm(object):
                shutil.copy(self.firewall_conf, "%s/backup/%s-firewall-%s.xml"
                        % (qubes_base_dir, self.name, time.strftime('%Y-%m-%d-%H:%M:%S')))
            self.write_firewall_conf({'allow': False, 'allowDns': False,
-                    'allowIcmp': False, 'rules': []})
+                    'allowIcmp': False, 'allowYumProxy': False, 'rules': []})
        else:
            new_netvm.connected_vms[self.qid]=self
@ -1167,7 +1170,8 @@ class QubesVm(object):
                "QubesFirwallRules",
                policy = "allow" if conf["allow"] else "deny",
                dns = "allow" if conf["allowDns"] else "deny",
-                icmp = "allow" if conf["allowIcmp"] else "deny"
+                icmp = "allow" if conf["allowIcmp"] else "deny",
                yumProxy = "allow" if conf["allowYumProxy"] else "deny"
        )
        for rule in conf["rules"]:
@ -1213,7 +1217,7 @@ class QubesVm(object):
        return os.path.exists (self.firewall_conf)
    def get_firewall_conf(self):
-        conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True }
+        conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True, "allowYumProxy": False }
        try:
            tree = xml.etree.ElementTree.parse(self.firewall_conf)
@ -1222,6 +1226,7 @@ class QubesVm(object):
            conf["allow"] = (root.get("policy") == "allow")
            conf["allowDns"] = (root.get("dns") == "allow")
            conf["allowIcmp"] = (root.get("icmp") == "allow")
            conf["allowYumProxy"] = (root.get("yumProxy") == "allow")
            for element in root:
                rule = {}
@ -1969,7 +1974,7 @@ class QubesProxyVm(QubesNetVm):
            if vm.has_firewall():
                conf = vm.get_firewall_conf()
            else:
-                conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True }
+                conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True, "allowYumProxy": False }
            xid = vm.get_xid()
            if xid < 0: # VM not active ATM
@ -2012,6 +2017,10 @@ class QubesProxyVm(QubesNetVm):
                iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.secondary_dns)
            if conf["allowIcmp"]:
                iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip)
            if conf["allowYumProxy"]:
                iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port)
            else:
                iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port)
            iptables += "-A FORWARD -s {0} -j {1}\n".format(ip, default_action)
            iptables += "COMMIT\n"