57a3c2d67e
When qubes-firewall service is started, modify firewall to have "DROP" policy, so if something goes wrong, no data got leaked. But keep default action "ACCEPT" in case of legitimate service stop, or not starting it at all - because one may choose to not use this service at all. Achieve this by adding "DROP" rule at the end of QBS-FIREWALL chain and keep it there while qubes-firewall service is running. Fixes QubesOS/qubes-issues#3269
34 lignes
1002 B
Plaintext
34 lignes
1002 B
Plaintext
# Generated by iptables-save v1.4.5 on Mon Sep 6 08:57:46 2010
|
|
*nat
|
|
:PREROUTING ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
:PR-QBS - [0:0]
|
|
:PR-QBS-SERVICES - [0:0]
|
|
-A PREROUTING -j PR-QBS
|
|
-A PREROUTING -j PR-QBS-SERVICES
|
|
-A POSTROUTING -o vif+ -j ACCEPT
|
|
-A POSTROUTING -o lo -j ACCEPT
|
|
-A POSTROUTING -j MASQUERADE
|
|
COMMIT
|
|
# Completed on Mon Sep 6 08:57:46 2010
|
|
# Generated by iptables-save v1.4.5 on Mon Sep 6 08:57:46 2010
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:QBS-FORWARD - [0:0]
|
|
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
|
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -i vif+ -p icmp -j ACCEPT
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -i vif+ -j REJECT --reject-with icmp-host-prohibited
|
|
-A INPUT -j DROP
|
|
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A FORWARD -j QBS-FORWARD
|
|
-A FORWARD -i vif+ -o vif+ -j DROP
|
|
-A FORWARD -i vif+ -j ACCEPT
|
|
-A FORWARD -j DROP
|
|
COMMIT
|
|
# Completed on Mon Sep 6 08:57:46 2010
|