From c44b8a13c9afa20cdb4cd4f8a69e45493eac7f8f Mon Sep 17 00:00:00 2001 From: clayton Date: Tue, 19 Jul 2016 20:09:06 +0800 Subject: [PATCH 1/4] Add a specific note about where to put iptables in /rw/config/ --- security/qubes-firewall.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/security/qubes-firewall.md b/security/qubes-firewall.md index 980888ad..f90ec8ae 100644 --- a/security/qubes-firewall.md +++ b/security/qubes-firewall.md @@ -315,3 +315,11 @@ fi This time testing should allow connectivity to the service as long as the service is up :-) + +Where to put firewall rules +--------------------------- + +Implicit in the above example, but worth calling attention to: for all +VMs EXCEPT proxy VMs, iptables commands should be added to the +'/rw/config/rc.local' script. For proxy VMs, iptables commands should +be added to '/rw/config/qubes_firewall_user_script'. From e259037ec337a1d7ffd6b81fd5ddb5b4112824a6 Mon Sep 17 00:00:00 2001 From: clayton Date: Wed, 20 Jul 2016 20:26:17 +0800 Subject: [PATCH 2/4] more /rw/config/ script tweaks --- configuration/config-files.md | 4 +++- configuration/http-filtering-proxy.md | 6 +++--- security/qubes-firewall.md | 21 ++++++++++++--------- 3 files changed, 18 insertions(+), 13 deletions(-) diff --git a/configuration/config-files.md b/configuration/config-files.md index faa5695b..64062c0e 100644 --- a/configuration/config-files.md +++ b/configuration/config-files.md @@ -13,6 +13,7 @@ Qubes specific VM config files ============================== Those files are placed in /rw, which survives VM restart, so can be used to customize single VM (not all VMs based on the same template). +The scripts here all run as root. - `/rw/config/rc.local` - script run at VM startup. Good place to change some service settings, replace config files with its copy stored in /rw/config etc. Example usage: @@ -23,7 +24,8 @@ Those files are placed in /rw, which survives VM restart, so can be used to cust ~~~ - `/rw/config/qubes-ip-change-hook` - script run in NetVM after external IP change (or connection to the network) -- `/rw/config/qubes-firewall-user-script` - script run in ProxyVM after firewall update. Good place to write own custom firewall rules + +- `/rw/config/qubes-firewall-user-script` - script run in ProxyVM after each firewall update. Good place to write own custom firewall rules - `/rw/config/suspend-module-blacklist` - list of modules (one per line) to be unloaded before system going to sleep. The file is used only in VM with some PCI devices attached. Supposed to be used for problematic device drivers. Note that scripts need to be executable (chmod +x) to be used. diff --git a/configuration/http-filtering-proxy.md b/configuration/http-filtering-proxy.md index cd6de109..e695d025 100644 --- a/configuration/http-filtering-proxy.md +++ b/configuration/http-filtering-proxy.md @@ -162,7 +162,7 @@ Setup to restart all proxy processes. 7. To make sure that the proxy is started automatically when the AppVM - starts change `/rw/config/qubes_firewall_user_script` to include the + starts change `/rw/config/qubes-firewall-user-script` to include the following line: /rw/config/tinyproxy/proxyctl.py update @@ -174,8 +174,8 @@ Setup Make sure that the script is owned by root and executable: - sudo chown root:root /rw/config/qubes_firewall_user_script - sudo chmod 755 /rw/config/qubes_firewall_user_script + sudo chown root:root /rw/config/qubes-firewall-user-script + sudo chmod 755 /rw/config/qubes-firewall-user-script 8. In Qubes VM manager adjust Firewall rules for each AppVM with a proxy. In a typical case when only HTTP proxy should be used for diff --git a/security/qubes-firewall.md b/security/qubes-firewall.md index f90ec8ae..fc689513 100644 --- a/security/qubes-firewall.md +++ b/security/qubes-firewall.md @@ -86,7 +86,7 @@ sudo iptables -I FORWARD 2 -s -d -j ACCEPT issues from VM A. Note however, that this doesn't allow you to reach A from B -- for this you would need another rule, with A and B addresses swapped. * If everything works as expected, then the above iptables rule(s) should be - written into firewall VM's `qubes_firewall_user_script` script which is run + written into firewall VM's `qubes-firewall-user-script` script which is run on every firewall update. This is necessary, because Qubes orders every firewall VM to update all the rules whenever new VM is started in the system. If we didn't enter our rules into this "hook" script, then shortly our custom @@ -97,8 +97,8 @@ sudo iptables -I FORWARD 2 -s -d -j ACCEPT ~~~ [user@firewallvm ~]$ sudo bash -[root@firewallvm user]# echo "iptables -I FORWARD 2 -s 10.137.2.25 -d 10.137.2.6 -j ACCEPT" >> /rw/config/qubes_firewall_user_script -[root@firewallvm user]# chmod +x /rw/config/qubes_firewall_user_script +[root@firewallvm user]# echo "iptables -I FORWARD 2 -s 10.137.2.25 -d 10.137.2.6 -j ACCEPT" >> /rw/config/qubes-firewall-user-script +[root@firewallvm user]# chmod +x /rw/config/qubes-firewall-user-script ~~~ Port forwarding to a VM from the outside world @@ -235,7 +235,7 @@ the service remove the ` -s 192.168.0.1/24 ` Once you have confirmed that the counters increase, store these command in -'/rw/config/qubes_firewall_user_script' +'/rw/config/qubes-firewall-user-script' ~~~ #!/bin/sh @@ -284,7 +284,7 @@ fi Finally make this file executable (so it runs at every Firewall VM update) ~~~ -sudo chmod +x /rw/config/qubes_firewall_user_script +sudo chmod +x /rw/config/qubes-firewall-user-script ~~~ **3. Allow packets into the VM to reach the service** @@ -319,7 +319,10 @@ service is up :-) Where to put firewall rules --------------------------- -Implicit in the above example, but worth calling attention to: for all -VMs EXCEPT proxy VMs, iptables commands should be added to the -'/rw/config/rc.local' script. For proxy VMs, iptables commands should -be added to '/rw/config/qubes_firewall_user_script'. +Implicit in the above example [scripts](/doc/config-files/), but worth +calling attention to: for all VMs EXCEPT proxy VMs, iptables commands +should be added to the '/rw/config/rc.local' script. For proxy VMs +(sys-firewall inclusive) iptables commands should be added to +'/rw/config/qubes-firewall-user-script'. This is because a proxy VM is +constantly adjusting it's firewall, and therefore initial settings from +rc.local do not persist. From 602bcf9fe27114cb8942837e78764c06dde69fdd Mon Sep 17 00:00:00 2001 From: clayton Date: Thu, 21 Jul 2016 14:59:06 +0800 Subject: [PATCH 3/4] No content changes -- hard wrap excessively long Markdown lines only. --- configuration/config-files.md | 44 ++++++++++++++++++++++++++--------- 1 file changed, 33 insertions(+), 11 deletions(-) diff --git a/configuration/config-files.md b/configuration/config-files.md index 64062c0e..43485c5a 100644 --- a/configuration/config-files.md +++ b/configuration/config-files.md @@ -12,10 +12,13 @@ redirect_from: Qubes specific VM config files ============================== -Those files are placed in /rw, which survives VM restart, so can be used to customize single VM (not all VMs based on the same template). +Those files are placed in /rw, which survives VM restart, so can be +used to customize single VM (not all VMs based on the same template). The scripts here all run as root. -- `/rw/config/rc.local` - script run at VM startup. Good place to change some service settings, replace config files with its copy stored in /rw/config etc. Example usage: +- `/rw/config/rc.local` - script run at VM startup. Good place to +change some service settings, replace config files with its copy stored +in /rw/config etc. Example usage: ~~~ # Store bluetooth keys in /rw to keep them across VM restarts @@ -23,17 +26,26 @@ The scripts here all run as root. ln -s /rw/config/var-lib-bluetooth /var/lib/bluetooth ~~~ -- `/rw/config/qubes-ip-change-hook` - script run in NetVM after external IP change (or connection to the network) +- `/rw/config/qubes-ip-change-hook` - script run in NetVM after +external IP change (or connection to the network) -- `/rw/config/qubes-firewall-user-script` - script run in ProxyVM after each firewall update. Good place to write own custom firewall rules -- `/rw/config/suspend-module-blacklist` - list of modules (one per line) to be unloaded before system going to sleep. The file is used only in VM with some PCI devices attached. Supposed to be used for problematic device drivers. +- `/rw/config/qubes-firewall-user-script` - script run in ProxyVM +after each firewall update. Good place to write own custom firewall +rules + +- `/rw/config/suspend-module-blacklist` - list of modules (one per +line) to be unloaded before system going to sleep. The file is used +only in VM with some PCI devices attached. Supposed to be used for +problematic device drivers. Note that scripts need to be executable (chmod +x) to be used. GUI and audio configuration in dom0 =================================== -GUI configuration file `/etc/qubes/guid.conf` in one of few not managed by qubes-prefs nor Qubes Manager tool. Sample config (included in default installation): +GUI configuration file `/etc/qubes/guid.conf` in one of few not managed +by qubes-prefs nor Qubes Manager tool. Sample config (included in +default installation): ~~~ # Sample configuration file for Qubes GUI daemon @@ -63,9 +75,19 @@ VM: { Currently supported settings: -- `allow_fullscreen` - allow VM to request its windows to go fullscreen (without any colorful frame). Regardless of this setting, you can also set window fullscreen using trusted window manager settings (right click on title bar). -- `allow_utf8_titles` - allow to use UTF-8 in window titles, otherwise non-ASCII characters are replaced by underscore. -- `secure_copy_sequence` and `secure_paste_sequence` - key sequences used to trigger secure copy and paste -- `windows_count_limit` - limit on concurrent windows count. -- `audio_low_latency` - force low-latency audio mode (about 40ms compared to 200-500ms by default). Note that this will cause much higher CPU usage in dom0. +- `allow_fullscreen` - allow VM to request its windows to go +fullscreen (without any colorful frame). Regardless of this setting, +you can also set window fullscreen using trusted window manager +settings (right click on title bar). +- `allow_utf8_titles` - allow to use UTF-8 in window titles, +otherwise non-ASCII characters are replaced by underscore. + +- `secure_copy_sequence` and `secure_paste_sequence` - key sequences +used to trigger secure copy and paste + +- `windows_count_limit` - limit on concurrent windows count. + +- `audio_low_latency` - force low-latency audio mode (about 40ms +compared to 200-500ms by default). Note that this will cause much +higher CPU usage in dom0. From 859af9be0354bd86a9f356dd65d1b0750c507827 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Thu, 21 Jul 2016 15:09:30 -0700 Subject: [PATCH 4/4] Fix formatting and orthography --- security/qubes-firewall.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/security/qubes-firewall.md b/security/qubes-firewall.md index fc689513..5d2c9152 100644 --- a/security/qubes-firewall.md +++ b/security/qubes-firewall.md @@ -320,9 +320,10 @@ Where to put firewall rules --------------------------- Implicit in the above example [scripts](/doc/config-files/), but worth -calling attention to: for all VMs EXCEPT proxy VMs, iptables commands -should be added to the '/rw/config/rc.local' script. For proxy VMs -(sys-firewall inclusive) iptables commands should be added to -'/rw/config/qubes-firewall-user-script'. This is because a proxy VM is -constantly adjusting it's firewall, and therefore initial settings from -rc.local do not persist. +calling attention to: for all VMs *except* ProxyVMs, iptables commands +should be added to the `/rw/config/rc.local` script. For ProxyVMs +(`sys-firewall` inclusive), iptables commands should be added to +`/rw/config/qubes-firewall-user-script`. This is because a ProxyVM is +constantly adjusting its firewall, and therefore initial settings from +`rc.local` do not persist. +