dom0/core-firewall: firewall setting for qubes-yum-proxy (#568)

New setting for access to qubes-yum-proxy. The difference from other firewall setting (and reason for new top-level setting): 'deny' is enforced even if policy is set to 'allow'. This proxy service is mainly used to filter network traffic, so do not expose it to VMs which can connect to any host directly (eg 'untrusted' VM).
2012-05-31 02:50:05 +02:00 · 2012-05-31 02:50:05 +02:00 · 2ca4b11183
commit 2ca4b11183
parent 4bac57818e
1 changed files with 13 additions and 4 deletions
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@ -98,6 +98,9 @@ qubes_appmenu_create_cmd = "/usr/lib/qubes/create_apps_for_appvm.sh"
 qubes_appmenu_remove_cmd = "/usr/lib/qubes/remove_appvm_appmenus.sh"
 qubes_pciback_cmd = '/usr/lib/qubes/unbind_pci_device.sh'

+yum_proxy_ip = '10.137.255.254'
+yum_proxy_port = '8082'
+
 class QubesException (Exception) : pass

 if not dry_run:
@ -392,7 +395,7 @@ class QubesVm(object):
                shutil.copy(self.firewall_conf, "%s/backup/%s-firewall-%s.xml"
                        % (qubes_base_dir, self.name, time.strftime('%Y-%m-%d-%H:%M:%S')))
            self.write_firewall_conf({'allow': False, 'allowDns': False,
-                    'allowIcmp': False, 'rules': []})
+                    'allowIcmp': False, 'allowYumProxy': False, 'rules': []})
        else:
            new_netvm.connected_vms[self.qid]=self

@ -1159,7 +1162,8 @@ class QubesVm(object):
                "QubesFirwallRules",
                policy = "allow" if conf["allow"] else "deny",
                dns = "allow" if conf["allowDns"] else "deny",
-                icmp = "allow" if conf["allowIcmp"] else "deny"
+                icmp = "allow" if conf["allowIcmp"] else "deny",
+                yumProxy = "allow" if conf["allowYumProxy"] else "deny"
        )

        for rule in conf["rules"]:
@ -1205,7 +1209,7 @@ class QubesVm(object):
        return os.path.exists (self.firewall_conf)

    def get_firewall_conf(self):
-        conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True }
+        conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True, "allowYumProxy": False }

        try:
            tree = xml.etree.ElementTree.parse(self.firewall_conf)
@ -1214,6 +1218,7 @@ class QubesVm(object):
            conf["allow"] = (root.get("policy") == "allow")
            conf["allowDns"] = (root.get("dns") == "allow")
            conf["allowIcmp"] = (root.get("icmp") == "allow")
+            conf["allowYumProxy"] = (root.get("yumProxy") == "allow")

            for element in root:
                rule = {}
@ -1957,7 +1962,7 @@ class QubesProxyVm(QubesNetVm):
            if vm.has_firewall():
                conf = vm.get_firewall_conf()
            else:
-                conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True }
+                conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True, "allowYumProxy": False }

            xid = vm.get_xid()
            if xid < 0: # VM not active ATM
@ -2000,6 +2005,10 @@ class QubesProxyVm(QubesNetVm):
                iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.secondary_dns)
            if conf["allowIcmp"]:
                iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip)
+            if conf["allowYumProxy"]:
+                iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port)
+            else:
+                iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port)

            iptables += "-A FORWARD -s {0} -j {1}\n".format(ip, default_action)
            iptables += "COMMIT\n"