20210622-Re_GSoC Port Forwarding-1052.html 7.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138
  1. <html>
  2. <head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  3. <title>Re: GSoC Port Forwarding</title>
  4. <link rel="important stylesheet" href="">
  5. <style>div.headerdisplayname {font-weight:bold;}
  6. </style></head>
  7. <body>
  8. <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>22/06/2021, 01:49</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Frédéric Pierret &lt;frederic.pierret@qubes-os.org&gt;, Marek Marczykowski-Górecki &lt;marmarek@invisiblethingslab.com&gt;</td></tr></table><br>
  9. <div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-western">Hi,
  10. <br>sorry for yesterday long and a bit confusing message. I started writing
  11. down my documentation and progress here <a class="moz-txt-link-freetext" href="https://git.lsd.cat/Qubes/gsoc">https://git.lsd.cat/Qubes/gsoc</a>
  12. so it should me more readable and easier to follow.
  13. <br>
  14. <br>I think my main concern now is the question 4 from the aforementioned
  15. email. Shall the rules be automatically implemented in all 3 involved
  16. vms? (&lt;netvm,firewallvm,appvm&gt;). I think yes, because otherwise it would
  17. be counterintuitive to be a partially manual and partially automatic
  18. operation. But since it actually 'automatically' exposes more attack
  19. surface, by loosening up all 3 vms network rules, I guess that maybe
  20. more reasoning on it would be helpful.
  21. <br>
  22. <br>
  23. <br>Cheers
  24. <br>Giulio
  25. <br>
  26. <br>Il 20/06/2021 22:50, Giulio ha scritto:
  27. <br><blockquote type=cite style="color: #007cff;">Hello,
  28. <br>sorry for the late reply.
  29. <br>
  30. <br>I read a lot of code and I have to admit that I did not grasp the
  31. complexity of the Admin API and networking stack before looking so much
  32. into it. I think I've got the overall picture, but it will take a little
  33. more to fully be confident moving there.
  34. <br>
  35. <br>Here is the summary of the notes I've taken from my understanding in
  36. this week of digging.
  37. <br>
  38. <br>Main references:
  39. <br><a class="moz-txt-link-freetext" href="https://www.qubes-os.org/doc/admin-api/">https://www.qubes-os.org/doc/admin-api/</a>
  40. <br><a class="moz-txt-link-freetext" href="https://www.qubes-os.org/doc/vm-interface/#firewall-rules-in-4x">https://www.qubes-os.org/doc/vm-interface/#firewall-rules-in-4x</a>
  41. <br><a class="moz-txt-link-freetext" href="https://www.qubes-os.org/doc/firewall/">https://www.qubes-os.org/doc/firewall/</a>
  42. <br>
  43. <br><span class="moz-txt-underscore"><span class="moz-txt-tag">_</span>core-admin/qubes/firewall.py<span class="moz-txt-tag">_</span></span>
  44. <br>Contains the classes with the parsing and formatting rules for firewall
  45. information in the firewall XML file. It already checks proper format
  46. for ports and ip addresses/netmask. It already support an expiry date
  47. for a rule.
  48. <br>
  49. <br><span class="moz-txt-underscore"><span class="moz-txt-tag">_</span>core-admin-client/qubesadmin/tools/qvm_firewall.py<span class="moz-txt-tag">_</span></span>
  50. <br>Class for the qvm-firewall cli tool. It is able to view, add, delete and
  51. reload firewall rules.
  52. <br>
  53. <br>
  54. <br><span class="moz-txt-underscore"><span class="moz-txt-tag">_</span>core-admin-client/qubesadmin/firewall.py<span class="moz-txt-tag">_</span></span>
  55. <br>The file responsible for calling Admin API (qubesd). Currently has its
  56. own rule syntax for setting rules.
  57. <br>
  58. <br><span class="moz-txt-underscore"><span class="moz-txt-tag">_</span>core-agent-linux/qubesagent/firewall.py<span class="moz-txt-tag">_</span></span>
  59. <br>Is the actual file responsible for running nftables and thus
  60. adding/deleting/reloading firewall ruless in the target firewall vm. It
  61. also resolves DNS names for domain rules. It is run by Admin API (qubesd).
  62. <br>
  63. <br><span class="moz-txt-underscore"><span class="moz-txt-tag">_</span>manager/qubesmanager/firewall.py<span class="moz-txt-tag">_</span></span>
  64. <br>Contains the code for the "Firewall" tab of the "Qube Manager" window.
  65. <br>
  66. <br><span class="moz-txt-underscore"><span class="moz-txt-tag">_</span>manager/ui/qubemanager.ui<span class="moz-txt-tag">_</span></span>
  67. <br>String and properties for the "Qube Manager" UI.
  68. <br>
  69. <br>
  70. <br>Questions:
  71. <br>
  72. <br>1) Should we both support internal port forwarding and external port
  73. forwarding? Such as exposing a port for another domain or exposing a
  74. port through the public network interface? I would say yes.
  75. <br>2) Should it be possible to add rules with an 'any' clause (both tcp and
  76. udp). I would say no because since port forwarding brings a higher
  77. attack surface all rules should be as precise as possible.
  78. <br>3) Since the expire= feature seems to be already implemented (and
  79. limited for the expiring full outgoing access) would it be useful to be
  80. implemented in gui and cli for every rule? I would say yes since the
  81. admin and agent code seems to be already there. The same goes for the
  82. "comment=" field.
  83. <br>4) How would you implement the management of forwarding rules in the
  84. network providing domain (sys-net)? Shall the user add a rule both in
  85. the target domain (ie the one with webserver and another one in sys-net)
  86. or should it be fully automatic from the first?
  87. <br>5) Users should be able to set forward rules using domain names and not
  88. static ip addresses. In this case, the actual ip addresses of the dst
  89. domains should be collected in a similr way as currently DNS are
  90. resolved in `/core-agent-linux/qubesagent/firewall.py`, would this be good?
  91. <br>
  92. <br>
  93. <br>Proposed XML Syntax:
  94. <br>&lt;rule&gt;
  95. <br>&nbsp;    &lt;properties&gt;
  96. <br>&nbsp;        &lt;property name="action"&gt;forward&lt;/property&gt;
  97. <br>&nbsp;        &lt;property name="proto"&gt;udp&lt;/property&gt;
  98. <br>&nbsp;        &lt;property name="dstports"&gt;443-8080-5555&lt;/property&gt;
  99. <br>&nbsp;    &lt;/properties&gt;
  100. <br>&lt;rule&gt;
  101. <br>
  102. <br>Proposed Admin API Syntax:
  103. <br>action=forward proto=udp dstports=443-8080-5555 [expire=&lt;unix
  104. timestamp&gt;] [comment=random text]
  105. <br>
  106. <br>I also plan to document, at least partially, the journey into this.
  107. <br>As a last question, I'm curious what is your setup in order to test
  108. modifications in the aforementioned repos while developing.
  109. <br>
  110. <br>Thank you for your time.
  111. <br>Cheers
  112. <br>Giulio
  113. <br>
  114. <br>
  115. <br>
  116. <br>Il 11/06/2021 09:16, Frédéric Pierret ha scritto:
  117. <br><blockquote type=cite style="color: #007cff;">Hello,
  118. <br>
  119. <br>Le 6/11/21 à 8:24 AM, Giulio a écrit :
  120. <br><blockquote type=cite style="color: #007cff;">Hello,
  121. <br>Thank you for accepting my proposal and volunteering for mentoring me. I
  122. <br>spent the last weeks reading Qubes sources, documentation and mailing
  123. <br>lists, as well as setting up a virtual machine and attempting to prepare
  124. <br>a comfy development environment. I Hope by the end of the next week to
  125. <br>be ready to propose you a draft of the plan for the development of the
  126. <br>static port forwardign feature. Does that sound ok?
  127. <br></blockquote>
  128. <br>Sure.
  129. <br>
  130. <br><blockquote type=cite style="color: #007cff;">Cheers,
  131. <br>Giulio
  132. <br></blockquote>
  133. <br>Best,
  134. <br>Frédéric
  135. <br>
  136. <br></blockquote></blockquote></div></body>
  137. </html>
  138. </table></div>