From d4e80e79842f99e4fb7b2197664d917f6772c162 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@mimuw.edu.pl>
Date: Wed, 6 Apr 2011 10:32:20 +0200
Subject: [PATCH 1/2] Deny inter-VM traffic in ProxyVM

---
 dom0/qvm-core/qubes.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index 3ac19b80..9cb438d2 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -1392,8 +1392,11 @@ class QubesProxyVm(QubesNetVm):
         iptables += "-A INPUT -i lo -j ACCEPT\n"
         iptables += "-A INPUT -j REJECT --reject-with icmp-host-prohibited\n"
 
+        iptables += "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
         # Allow dom0 networking
         iptables += "-A FORWARD -i vif0.0 -j ACCEPT\n"
+        # Deny inter-VMs networking
+        iptables += "-A FORWARD -i vif+ -o vif+ -j DROP\n"
 
         vms = [vm for vm in self.connected_vms.values()]
         for vm in vms:
@@ -1441,7 +1444,6 @@ class QubesProxyVm(QubesNetVm):
             iptables += "-A FORWARD -i vif{0}.0 -j {1}\n".format(xid, default_action)
 
         iptables += "#End of VM rules\n"
-        iptables += "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
         iptables += "-A FORWARD -j DROP\n"
 
         iptables += "COMMIT"

From 95a52d388b2e9b7aa51dbbe2581d56a512cf8d39 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@mimuw.edu.pl>
Date: Wed, 6 Apr 2011 10:33:42 +0200
Subject: [PATCH 2/2] Optimize iptables rules in NetVM

Move "state RELATED,ESTABLISHED" rule to the beginning.
---
 common/iptables | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/iptables b/common/iptables
index b2100ba9..b80c19a2 100644
--- a/common/iptables
+++ b/common/iptables
@@ -19,9 +19,9 @@ COMMIT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i vif+ -o vif+ -j DROP
 -A FORWARD -i vif+ -j ACCEPT
--A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -j DROP
 COMMIT
 # Completed on Mon Sep  6 08:57:46 2010