Application firewall

deeplow · April 7, 2021, 8:57am

This does not satisfy all your requirements but is quite practical:

redmind · April 7, 2021, 9:11am

Thanks, it adds filtering with URL but isn’t application-specific, and also (if i understand it correctly) require a separate proxyVM for each and every Domain/AppVM.

Zrubi · April 7, 2021, 9:48am

require a separate proxyVM for each and every Domain/AppVM.

No, you can use the same proxy for several VMs - the very same way as the qubes firewall works.
(this is alos true for my PoC ofc)

redmind · April 7, 2021, 11:44am

When using one ProxyVM to all AppVMs, how do I set a certain rule for Firefox in one AppVM but different rule for Firefox in a different AppVM ?
Also, how do I set one rule for Firefox and a different one for Thunderbird (both regarding HTTP access)?

Zrubi · April 7, 2021, 12:36pm

You can identify your client VM by it’s internal IP address.
So you can prepare the rules accordingly.
Once a VM created it’s IP kind of static, see by:
qvm-ls --network

But, you just can’t make a difference by Appalications inside a VM.
Only if they are running in a different VM.

deeplow · April 25, 2021, 7:23pm

2 posts were split to a new topic: Setting up a ProxyVM (e.g. sys-vpn) to all other AppVMs

anon42456682 · December 29, 2021, 8:47am

There should be an open source logging solution for qubes! An IDS (intrusion detection system) by default. That would make Qubes even better! Why would people not want to have an overview of the traffic in the same way as CPU or memory? They do want that.

arkenoi · December 29, 2021, 9:00am

Yes, that would be nice. However, current app firewalls (if we are not speaking about reverse proxies aka WAF) are designed to protect Windows workstations, mostly. We do not even know what is “bad” for a Linux client. Also, there are no opensource implementations worth speaking of.

If we ever care about Windows guests, that would be nice, though.

redmind · December 29, 2021, 10:01am

I just did a quick search, didn’t even check quality or features, but I did get few different, seemingly relevant, Linux Application Firewall (see links blow)

http://linux-firewall.org/
https://linux-application-firewall.org/
OpenSnitch - an Application Firewall for Linux [Review] - It's FOSS
So it looks like there are in fact options for linux, and I very much agree about the need/desire of Qubes-OS users to be able to limit and also be aware of any application that goes on the network.
Obviously, I would very much like to see something like that in Qubes (evident by the fact that I’m the one who opened this thread )

ppc · December 29, 2021, 10:04am

both are very outdated

unman · December 29, 2021, 12:41pm

There was a thread on application firewalls in the Forum predating this
one:

I was asked to evaluate application firewalls in Qubes.
If you want to try opensnitch, there are signed packages available from
the repositories at Index of /4.0 for Debian qubes, and
Index of /fedora.
Install the opensnitch packages in a Template, and you can try out a host
based application firewall. It will trigger on outgoing connections,
identify the application, and prompt for action.
You can also have the alerts aggregated on an upstream netvm, and have
that as the GUI. It’s a simple configuration: the documentation is good,
but I could help out if you are having problems.

It isn’t perfect - sometimes the GUI will trigger after the first
packet - but it’s the best ready made solution I found.
Another huge caveat is that (as with all host based solutions), you have
to remove passwordless root from the qube, otherwise an attacker could
easily kill the service.

Worth trying it out.

redmind · December 29, 2021, 1:12pm

I know. looks like it died, was picked up by a single person, and as far as I can tell nothing has changed for more than a year. All in all, the project doesn’t look very much alive.

unman · December 29, 2021, 1:33pm

You are looking in the wrong place -

redmind · December 29, 2021, 1:58pm

Indeed I was. My humble thanks for pointing to the right one.
So how would something like this work in our beloved Qubes-environment (multiple AppVMs reporting to a single GUI installed in a separate AppVM or maybe NetVM)?
I’m currently on 4.1 were Net-VM set to be disposable, so I’m guessing a static IP is somehow required?

necker · December 29, 2021, 2:20pm

Not sure if you’re asking but if you create a named disposable (using a disposable VM template), the IP address of the VM is stable. My VPN proxyVM is fully volatile and contains a firewall script that references the static IP.

anon42456682 · December 30, 2021, 12:58pm

Opensnitch would be good…Would that one be installed in sys-firewall?

ppc · December 30, 2021, 1:03pm

it need to installed on every qubes (every template, hvm and standalone for more accurate)

anon42456682 · December 30, 2021, 1:04pm

Ok, thanks.

Zrubi · January 3, 2022, 7:48am

And that is the reason they not really exists in practice.
Because you must believe that a ‘blessed code’ will going to detect the ‘evil’s code’, while booth running on the same permission levels

ppc · January 3, 2022, 9:16am

not totally imo, it exist, but not very effective

and if the firewall missed a “evil’s code”, it could disable the firewall itself, then calling even more “evil’s code”