qubes-firewall will now blacklist IP addresses from all connected
machines on non-vif* interfaces. This prevents spoofing source or
target address on packets going over an upstream link, even if
a VM in question is powered off at the moment.
Depends on QubesOS/qubes-core-admin#303 which makes admin maintain
the list of IPs in qubesdb.
FixesQubesOS/qubes-issues#5540.
When qubes-firewall service is started, modify firewall to have "DROP"
policy, so if something goes wrong, no data got leaked.
But keep default action "ACCEPT" in case of legitimate service stop, or
not starting it at all - because one may choose to not use this service
at all.
Achieve this by adding "DROP" rule at the end of QBS-FIREWALL chain and
keep it there while qubes-firewall service is running.
FixesQubesOS/qubes-issues#3269
This rewrite is mainly to adopt new interface for Qubes 4.x.
Main changes:
- change language from bash to python, introduce qubesagent python package
- support both nftables (preferred) and iptables
- new interface (https://qubes-os.org/doc/vm-interface/)
- IPv6 support
- unit tests included
- nftables version support running along with other firewall loaded
FixesQubesOS/qubes-issues#1815QubesOS/qubes-issues#718
Masquerading packets on lo actually drops them when there is no default route.
This causes problems with commutication between ntpd processes (ntp main
daemon and resolver). And perhaps many more...
