Application firewall

I would like to use application-specific firewall-rules in qubes.
Since each AppVM has its purposes and each should be allowed to access only what it needs, same goes for applications.

  • I would like to block certain domains and URLs. I prefer not to trust Firefox add-ons, and other applications that need some internet access don’t have URL-based blocking/filtering abilities.
  • I would like to allow specific (Port / URL-Based) “pin-hole” internet access only to applications who need it (everything else should be denied).
  • I’m guessing that asking to be able to set protocol-specific rules is irrelevant because it requires the app-firewall to correctly identify protocol based on traffic inside (usually)encrypted session, which brings us to ssl-inspection and MITM and makes it all much more complicated and resource heavy. (…but why not dream big. So i’ll just put it here anyway)
  • I would like to see a log (even be alerted?) about application that deviated from where it’s supposed to go.
  • Obviously, different rules will apply to same applications residing inside different AppVMs

I would love to hear your thoughts on the matter.

(I was very surprised that application firewall feature isn’t mentioned anywhere, assuming I didn’t miss anything, and am posting all of this for nothing)

1 Like

I was very surprised that application firewall feature isn’t mentioned anywhere

See my PoC here:
http://zrubi.hu/en/2017/traffic-analysis-qubes/
(and note the date :wink:

and a recent topic here:

and just for the record: the default Qubes Firewall:

(but this is based on IP/Port fitlerering only)

@Zrubi Thank you, however:

  • Your PoC with suricata doesn’t provide a solution for “VM-specific Application-Firewall”
  • The topic you pointed to doesn’t deal with “VM-specific Application-Firewall”
  • Qubes Firewall is indeed “VM-specific” but is most certainly NOT “Application-Firewall” and, as you noticed, is also limited to IP/Port filtering only.
    I’m looking for something more, which will be in integral part of Qubes-OS and will not require users to manually install a separate proxy-vm for each and every AppVM :slightly_smiling_face:

I’m looking for something more, which will be in integral part of Qubes-OS and will not require users to manually install a separate proxy-vm for each and every AppVM

Well, there is no such thing ready for use, I’m afraid.

My PoC however shows you the way how to transparently catch an analyze the traffic going through a proxy VM. You can replace suricata with any other application level firewall (but there is not too many alternatives out there)

The VM specific part is ‘only’ the rules you define for a particular VM.
So the missing piece is:

  • interface for defining application leve rules
  • implementation to dynamicly assign those rules to the used application level firewall.

That’s exacly how the qubes firewall works btw (but with a packet filter at the ‘end’), so the working example is there :wink:

What is currently working if you follow my PoC:

  • you can filter for URL
  • you can log the traffic of your VMs

but surely you need to create rules manually, and staticly assign your VMs.

For the logging part, I also did PoC for central log collecting:

or if you thinking outside of your Qubes:
http://zrubi.hu/en/2017/siem-at-home/

Unfortunately I’ve no free time implement those ideas to a fully working and user friedly solution - but it shows you a way how it would work.

And ofc. if anybody would willing to work on those ideas, I’m willing to help. - but nobody was interested about such features duringthe last ~4 years - or they just keep it in secret :wink:

So, waiting for your requested features… is just pointless. (but at least very optimistic)
Let’s start actually implementing it instead. :slight_smile:

1 Like

I will definitely take a closer look at your SIEM@Home project. it looks cool.
You said “…nobody was interested about such features during the last ~4 years - or they just keep it in secret”.
Things change all the time and I believe awareness to information security has increased in the last years and will continue to increase. So here I am, saying it out loud, and maybe it’ll catch the eye and interest of other people :slightly_smiling_face:
Searching around, I saw many projects related to Firewall, and a few projects of Application Firewall (for Linux ofcourse, other OS has application firewalls since the late 90’s) so maybe there is a rising interest.
Interested people - let us hear you! :sunglasses:

This does not satisfy all your requirements but is quite practical:

1 Like

Thanks, it adds filtering with URL but isn’t application-specific, and also (if i understand it correctly) require a separate proxyVM for each and every Domain/AppVM.

require a separate proxyVM for each and every Domain/AppVM.

No, you can use the same proxy for several VMs - the very same way as the qubes firewall works.
(this is alos true for my PoC ofc)

When using one ProxyVM to all AppVMs, how do I set a certain rule for Firefox in one AppVM but different rule for Firefox in a different AppVM ?
Also, how do I set one rule for Firefox and a different one for Thunderbird (both regarding HTTP access)?

You can identify your client VM by it’s internal IP address.
So you can prepare the rules accordingly.
Once a VM created it’s IP kind of static, see by:
qvm-ls --network

But, you just can’t make a difference by Appalications inside a VM.
Only if they are running in a different VM.

2 posts were split to a new topic: Setting up a ProxyVM (e.g. sys-vpn) to all other AppVMs

There should be an open source logging solution for qubes! An IDS (intrusion detection system) by default. That would make Qubes even better! Why would people not want to have an overview of the traffic in the same way as CPU or memory? They do want that.

1 Like

Yes, that would be nice. However, current app firewalls (if we are not speaking about reverse proxies aka WAF) are designed to protect Windows workstations, mostly. We do not even know what is “bad” for a Linux client. Also, there are no opensource implementations worth speaking of.

If we ever care about Windows guests, that would be nice, though.

I just did a quick search, didn’t even check quality or features, but I did get few different, seemingly relevant, Linux Application Firewall (see links blow)

1 Like

both are very outdated

There was a thread on application firewalls in the Forum predating this
one:

I was asked to evaluate application firewalls in Qubes.
If you want to try opensnitch, there are signed packages available from
the repositories at Index of /4.0 for Debian qubes, and
Index of /fedora.
Install the opensnitch packages in a Template, and you can try out a host
based application firewall. It will trigger on outgoing connections,
identify the application, and prompt for action.
You can also have the alerts aggregated on an upstream netvm, and have
that as the GUI. It’s a simple configuration: the documentation is good,
but I could help out if you are having problems.

It isn’t perfect - sometimes the GUI will trigger after the first
packet - but it’s the best ready made solution I found.
Another huge caveat is that (as with all host based solutions), you have
to remove passwordless root from the qube, otherwise an attacker could
easily kill the service.

Worth trying it out.

I know. looks like it died, was picked up by a single person, and as far as I can tell nothing has changed for more than a year. All in all, the project doesn’t look very much alive.

You are looking in the wrong place -

Indeed I was. My humble thanks for pointing to the right one.
So how would something like this work in our beloved Qubes-environment (multiple AppVMs reporting to a single GUI installed in a separate AppVM or maybe NetVM)?
I’m currently on 4.1 were Net-VM set to be disposable, so I’m guessing a static IP is somehow required?