bfe31cfec8
qubes-firewall will now blacklist IP addresses from all connected machines on non-vif* interfaces. This prevents spoofing source or target address on packets going over an upstream link, even if a VM in question is powered off at the moment. Depends on QubesOS/qubes-core-admin#303 which makes admin maintain the list of IPs in qubesdb. Fixes QubesOS/qubes-issues#5540.
17 lines
382 B
Plaintext
17 lines
382 B
Plaintext
# Generated by ip6tables-save v1.4.14 on Tue Sep 25 16:00:20 2012
|
|
*mangle
|
|
:QBS-PREROUTING - [0:0]
|
|
:QBS-POSTROUTING - [0:0]
|
|
-A PREROUTING -j QBS-PREROUTING
|
|
-A POSTROUTING -j QBS-POSTROUTING
|
|
COMMIT
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:QBS-FORWARD - [0:0]
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A FORWARD -j QBS-FORWARD
|
|
COMMIT
|
|
# Completed on Tue Sep 25 16:00:20 2012
|