Commit Graph

25 Commits

Author SHA1 Message Date
Marek Marczykowski
a90a21b8ff vm/iptables: block IPv6 traffic
This isn't properly handled by Qubes VMs yet, so block it in all the VMs.
Also restrict access to firewall config.
2012-09-25 16:14:06 +02:00
Marek Marczykowski
decf7ef648 vm/yum-proxy: one more regexp fix 2012-09-25 15:08:06 +02:00
Marek Marczykowski
f710531f68 vm/yum-proxy: filter regexp: add missing ^$ marks, remove unneded .* at the beginning
Reported-by: Igor Bukanov <igor@mir2.org>
2012-09-25 13:37:59 +02:00
Marek Marczykowski
dd7fe532ae vm/yum-proxy: allow pkgtags repodata 2012-09-19 12:55:45 +02:00
Marek Marczykowski
038933789d vm/updates-proxy: fix regexp (#643) 2012-08-06 14:59:10 +02:00
Marek Marczykowski
9a1a9c8b1f vm/qubes-update-proxy: update URL whitelist 2012-07-05 01:43:32 +02:00
Marek Marczykowski
96508abf2c vm: qubes-yum-proxy service (#568)
Introduce proxy service, which allow only http(s) traffic to yum repos. The
filter rules are based on URL regexp, so it isn't full-featured content
inspection and can be easy bypassed, but should be enough to prevent some
erroneus user actions (like clicking on invalid link).

It is set up to intercept connections to 10.137.255.254:8082, so VM can connect
to this IP regardless of VM in which proxy is running. By default it is
started in every NetVM, but this can be changed using qvm-service or
qubes-manager (as always).
2012-05-31 03:11:43 +02:00
Marek Marczykowski
3224026355 dom0+vm/iptables: add PR-QBS-SERVICES chain in PREROUTING nat table
Additional chain for some qubes-related redirections. BTW PR-QBS should be
renamed now to PR-QBS-DNS...
2012-05-31 03:11:43 +02:00
Marek Marczykowski
303355a168 dom0+vm/vif-script: setup IP address of net backend interface
This is needed to connect to ProxyVM/NetVM, not only pass traffic ahead. Still
firewall rules applies.
2012-05-31 03:11:43 +02:00
Marek Marczykowski
556bc7ac38 vm+dom0/vif-script: indent fix 2012-05-31 03:11:43 +02:00
Marek Marczykowski
e9d341ff71 vm/netwatcher: fix watch 2012-03-09 01:54:16 +01:00
Marek Marczykowski
9547b191ad vm/qvm-firewall: force firewall reload on service start (#478)
This makes firewall reload triggered by qubes-netwatcher working again.
2012-03-09 01:50:51 +01:00
Marek Marczykowski
0bad3c3dec vm/netwatcher: watch also for netvm change (#478) 2012-03-09 01:01:30 +01:00
Joanna Rutkowska
29d7fbfad3 vm/qubes_netwatcher: correct type in service name (#465)
This prevented netwatcher being started in the firewallvm.
2012-03-09 00:21:54 +01:00
Marek Marczykowski
05db5c9f92 vm/network: use metric to allow multiple routes to same VM
This is required when VM has multiple interfaces (eg HVM: PV and stubdom).
Prefer the later one.
2012-03-08 14:57:10 +01:00
Marek Marczykowski
a06c8c3786 vm/network: really place anti-spoof rules in 'raw' table
This fixes commit:
4d68998 vm/network: place anti-spoof rules in 'raw' table
2012-03-08 14:56:39 +01:00
Marek Marczykowski
4d6899827d vm/network: place anti-spoof rules in 'raw' table 2012-03-03 01:30:04 +01:00
Marek Marczykowski
720bc5c67e vm/network: replace route in more elegant way 2012-03-03 01:26:06 +01:00
Marek Marczykowski
187c524852 vm/network: do not fail when route already exists - override it 2012-02-24 17:10:16 +01:00
Marek Marczykowski
b710e560d7 vm/firewall: do not fail when one VMs rules failed 2012-02-13 15:47:34 +01:00
Marek Marczykowski
ad75f3c99e vm/network: symlink NetworkManager system-connection to /rw (#425)
In FC15, NetworkManager by default uses global connections ("Available to all users"). Save them in /rw instead of /etc, to preserve them across reboots.
2012-01-30 14:20:02 +01:00
Marek Marczykowski
22e10230bd vm/network: ignore IPv6 DNS entries in /etc/resolv.conf 2012-01-30 13:41:41 +01:00
Marek Marczykowski
0f9a312fcf vm/netwatcher: ignore error when no external IP present
This can be set later - when network in NetVM is connected.
2012-01-18 19:34:09 +01:00
Marek Marczykowski
f9c956e677 vm/iptables: do not MASQUERADE packets on lo (#416)
Masquerading packets on lo actually drops them when there is no default route.
This causes problems with commutication between ntpd processes (ntp main
daemon and resolver). And perhaps many more...
2012-01-13 20:42:31 +01:00
Marek Marczykowski
adc0b6eff5 vm(+dom0): major rearrage VM files in repo; merge core-*vm packages 2012-01-06 21:31:12 +01:00