|
@@ -145,9 +145,20 @@ It is important to note that in the last case, it is just a standard case of int
|
|
|
|
|
|
![Implementation](https://git.lsd.cat/Qubes/gsoc/raw/master/assets/implementation.png)
|
|
|
|
|
|
-#### Implementation roadmap
|
|
|
-
|
|
|
-
|
|
|
+### Implementation roadmap
|
|
|
+
|
|
|
+ 1. ✔️ In `core-admin-client/qubesadmin/firewall.py` firewall.py > The code
|
|
|
+needs to support the new options for the rule (action=forward
|
|
|
+frowardtype=<internal/external> srcports=443-443 srchosts=0.0.0.0/0
|
|
|
+ 2. ✔️ In `core-admin/qubes/firewall.py` -> The code needs to support the same
|
|
|
+options as the point above
|
|
|
+ 3. 🚧 In `core-admin/qubes/vm/mix/net.py` -> The most important logic goes
|
|
|
+here. Here there is the need to resolve the full network chain for
|
|
|
+external port forwarding. From here it is possible to add the respective
|
|
|
+rules to the QubesDB of each NetVM in he chain and trigger a reload event.
|
|
|
+ 4. ❌ In `core-agent-linux/qubesagent/firewall.py` -> Here goes the logic for
|
|
|
+building the correct syntax for iptables or nft and the actual execution
|
|
|
+ 5. ❌ GUI
|
|
|
|
|
|
### Required rules
|
|
|
|
|
@@ -187,4 +198,22 @@ nft add rule ip qubes-firewall forward meta iifname <interface> ip daddr <appvm_
|
|
|
in `<appvm>`:
|
|
|
```
|
|
|
iptables -w -I INPUT 5 -d <appvm_ip> -p tcp --dport <target_port> -m conntrack --ctstate NEW -j ACCEPT
|
|
|
-```
|
|
|
+```
|
|
|
+
|
|
|
+## Extra
|
|
|
+### Useful Commands
|
|
|
+
|
|
|
+### Dev Environment
|
|
|
+Currently developing on VMWare Workstation on Windows due to issues in virtualizing on linux on my home hardware.
|
|
|
+QubesOS is virtualized behind NAT and can reach Windows Host via SSH.
|
|
|
+
|
|
|
+In order to the the code, I wrote some [helper scripts](https://git.lsd.cat/Qubes/tools).
|
|
|
+The required setup involves:
|
|
|
+ * Clone the tools on the Windows Host
|
|
|
+ * Generate an SSH keypair on `sys-net`
|
|
|
+ * Add `sys-net` SSH pubkey on Windows for non interactive authentication (`sshd` is easier using Windows Subsystem for Linux)
|
|
|
+ * Via scp/sftp, copy all the bash script in the `sys-net` VM. Leve `pull.sh` in `/home/user/pull.sh`
|
|
|
+ * Using `qvm-run` copy `backup.sh`, `restore.sh` and `updte.sh` in `Dom0`
|
|
|
+ * First, run once `backup.sh` and pay attention to never run it again in order to recover from broken states (breaking qubesd, `qvm-run` will stop working and it will be hard to recover)
|
|
|
+ * Run `update.sh` to automatically pull changes from the Windows host. `qubesd` is restarted within the same script.
|
|
|
+ * In case of issues, run `restore.sh` and investigate the previous errors
|