the default firewall settings are that INPUT accepts only established connections.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Question 1. I think that the settings are already secure. Could you provide a counter-argument when this firewall rule would fail to prevent malicious traffic to enter?
Question 2. If I would want to limit INPUT ports, first I would comment out the mentioned rule. Could you provide an example rule pair to allow INPUT and OUTPUT for a certain port. Consider an HTTP 80 port as an example.
Hi
This isn’t Qubes specific in any way. Still, it’s a holiday, (Happy
Christmas, by the way.)
There was an open issue many years ago about the use of “RELATED”
here.
ESTABLISHED connections are part of a connection stream.
RELATED are where a packet is associated with, but not part of, an
existing connection - like in an FTP transaction.
To keep track of these connections, the network streams have to be
parsed within the kernel - these are complex modules (which I think are
blacklisted in Qubes).
So there is a risk in using this sort of rule - there are network attacks
which attempt to overload connection tracking, or subvert the tracking
modules.
Don’t comment out that rule.
Insert a rule ahead of it in the processing stream. For iptables, iptables -I INPUT -p tcp --dport 80 -j ACCEPT
That specifies the protocol (tcp), and the destination port (80), to
allow traffic inbound.
No need for anything in OUTPUT - by default it’s wide open. (I don’t
like this and change this behaviour.)
This topic can go on forever! All my non Qubes HVM’s have Firewalld with rudimentary traffic analysis. I think Whonix has some contraption too and Patrick is involved with a proprietary project firewallVM. I’m sure you can find this if you search hard and smart enough.