Hi,
Il 29/06/2021 03:31, Marek Marczykowski-Górecki ha scritto:
Yes, preparing rules in firewall.py sounds like a good idea. A new
function is a good idea too. But note that for 'external' rules you need
to apply them at several places (sys-net, sys-firewall etc). They aren't
necessarily will be the same.
I'd recommend getting an example, and writing down all the rules that
should be applied, in all related VMs (specific iptables/nft commands).
You have mostly done this part already.
This part you can also test manually - really add those rules
manually and check if everything works as it should. This way you ensure
the rule set is sufficient.
Then, write down QubesDB entries that describe them - carefully matching
which information in the rule is built from which information in qdb
entry.
With that information, you know what qdb entries you need to produce for
each VM, and should be easier to design this extra function/functions -
especially, you'll see what input data such function needs and how many
different rules it needs to return.
I tried writing a possible implementation to see how it could work and
also to get an initial feedback. Since in the past week I had no access
to my test machine, I just fixed the last things today and seems that
overall the implemented parts are working (up to writing the rules with
the correctly IPs in the appropriate agent databases).
Here are the repositories
https://git.lsd.cat/Qubes
Here is a list of what has yet to be done:
1) Lot of testing and writing tests
2) Any modification to the agent (such as applying the rules)
3) "srchost" parameter support
4) GUI
5) Find a way to display the chain of rules in the qvm-firewall of every
VM involved since as of now it is displayed only in the VM for which the
rule was set
Here is a list of what should work:
1) Adding and deleting forward rules, both internal and external, via
qvm-firewall. Also basic checks of the consistency of rules and required
options should be in place
2) Display of forward rules via qvm-firewall
3) Persistence and resume of forward rules in firewall.xml
4) Correct distribution of the required rules in the network chain in net.py
Overall I tried getting the most possible from already existing code in
order not to change the style and introduce as few changes as possible.
Without having you correct the code step by step, before going forward
with the agent I would like to have a feedback if the coding style seems
consistent enough with yours and especially if the implementation in
net.py of the distributions of the rules matches your expectations.
My changes are only in core-admin and core-admin-client for now.
Cheers
Giulio