diff --git a/Readme.md b/Readme.md index 1522ae9..cf82092 100644 --- a/Readme.md +++ b/Readme.md @@ -108,8 +108,8 @@ The main issue however is the fact that currenly, the firewall client library is Since in the case of port forwarding the target ip address would always be the `` IP address, users should not be asked for a `dsthost` field. Adding a forward rule could look like this: ``` -qvm-firewall add action=forward proto=tcp type=external srcports=443-443 dstports=80443-80443 srchost=0.0.0.0/0 expire=+500000 comment="example https server rule" -qvm-firewall add action=forward proto=tcp type=internal srcports=80-80 dstports=8000-8000 srchost=10.137.0.13 expire=+500000 comment="example internal simplehttpserver file sharing rule" +qvm-firewall add action=forward proto=tcp forwardtype=external srcports=443-443 dstports=80443-80443 srchost=0.0.0.0/0 expire=+500000 comment="example https server rule" +qvm-firewall add action=forward proto=tcp forwardtype=internal srcports=80-80 dstports=8000-8000 srchost=10.137.0.13 expire=+500000 comment="example internal simplehttpserver file sharing rule" ``` Of course `expire=` and `comment=` are optional fields. @@ -120,7 +120,7 @@ Of course `expire=` and `comment=` are optional fields. forward tcp - external + external 443-443 80443-80443 0.0.0.0/0 @@ -130,8 +130,25 @@ Of course `expire=` and `comment=` are optional fields. ``` ### Proposal chart +The main distinction between internal and external port forwarding is: + + * _Internal_ resolves only 's + * _External_ recursively resolves all upstream networking vm and sets forwarding rules on all of them + +This should cover multiple scenarios: + * _Standard external forwarding_ when service needs to be exposed on a physical interface + * _Standard internal forwarding_ when service needs to be exposed to other connected to the same + * _VPN internal port forwarding_ when service needs to be exposed through a VPN + +It is important to note that in the last case, it is just a standard case of internal forwarding. + + ![Implementation](https://git.lsd.cat/Qubes/gsoc/raw/master/assets/implementation.png) +#### Implementation roadmap + + + ### Required rules #### External