Bridge Firewall

texasbilly · October 17, 2024, 2:59pm

I asked this question at the whonix forums and got no conclusive answer, so I thought I might ask here as well. The idea was to create a bridge firewall with qubes built-in tools only (qvm-firewall) without installing additional external packages (corridor). I proposed a setup that works fine and wanted some feedback regarding leaks.

I’ve included a link to the setup and original discussion below. Is there anything else that needs to be done (e.g., turning on disable-dns-server service).

If helpful, it could be included in the community guides. Thanks!

solene · October 17, 2024, 3:10pm

what are you trying to achieve?

texasbilly · October 17, 2024, 3:16pm

A Bridge Firewall similar to Corridor without installing third-party packages.

apparatus · October 17, 2024, 6:22pm

I think you can specify the port and protocol for the bridges:

qvm-firewall sys-whonix add match dsthost=X.X.X.X dstports=Y proto=tcp action=accept

And just a add drop all rule at the end.

texasbilly · October 17, 2024, 7:59pm

The above rule will not work by default without doing some configuration. Qubes firewall rules do not affect Whonix gateway or worksation (Whonix by default, disables the qubes firewall). You need to create a separate firewall VM and place the firewall rules there. I proposed the solution below (tested and working):

qvm-firewall sys-firewall-whonix del --rule-no 0
qvm-firewall sys-firewall-whonix add drop
qvm-firewall sys-firewall-whonix add --before 0 drop proto=icmp
qvm-firewall sys-firewall-whonix add --before 0 drop specialtarget=dns
qvm-firewall sys-firewall-whonix add --before 0 accept IP-BRIDGE-1
qvm-firewall sys-firewall-whonix add --before 0 accept IP-BRIDGE-2

IMO these rules are ok. They can be updated as you say with the port and protocol for the bridges. But I would like to know if turning on the disable-dns-server service or blank /etc/resolv.conf would be needed as well (qvm-service sys-whonix-firewall disable-dns-server on).

apparatus · October 17, 2024, 8:06pm

The rules Qubes OS applied to sys-whonix will work since the Qubes OS firewall rules are applied in the net qube of the qube for which you’re applying the firewall rules.
E.g. in this configuration:
app_qube → sys-whonix → sys-firewall → sys-net
The Qubes OS firewall rules that you set up for sys-whonix will be effective since they will be applied in sys-firewall.
But the rulles applied for app_qube won’t be effective since sys-whonix don’t support Qubes OS firewall rules.

These rules are redundant if you specify the port and protocol for bridges accept rules.

I don’t think it’s needed.

texasbilly · October 18, 2024, 10:59am

I’m just asking because @unman said it was required in the post below. If he can also confirm, that would be great

apparatus · October 18, 2024, 11:31am

The drop rule in the Qubes OS firewall will block DNS requests from the qube as well so there is no need to specifically disable the DNS server in the qube.