Firewall blocks everything including whitelisted sites all of a sudden

spamiam · November 28, 2024, 8:06pm

I cannot access lastpass.com anymore

I’ve been using restrictive firewall VMs just fine for quite a while now, but the past day or two they block everything

Running qvm-firewall --reload sys-firewall-lastpass from dom0 does nothing

I can access lastpass through a VM that uses sys-firewall though

But if I create a new sys-firewall-test, give it the qubes-firewall service, and allow only www.reddit.com with https port then I have the same issue

Same issue with test firewall when using either fedora or debian templates, and both have qubes-core-agent-networking installed, as well as iproute

I’m on latest QubesOS in terms of updates

barto · November 28, 2024, 8:17pm

First question that comes to mind is: do you have DNS resolution in that vm? i.e., opening a terminal and typing “host www.lastpass.com” returns some (IPv4) addresses?

spamiam · November 28, 2024, 8:31pm

Well, I installed bind-utils to be able to do that, restarted both firewall and lastpass VMs, and now it works

Thanks I guess that was it?

solene · November 28, 2024, 8:47pm

lastpass uses load balancers, so their IP addresses are likely to change regularly.

Using the DNS resolution in the firewall is not great in this situation as the IPs are resolved upon qube starts, so if the IP behind the domain changes, the rule is obsolete.

spamiam · November 28, 2024, 8:59pm

Thanks!

Yeah, lastpass definitely has changed their IPs a few times. Running qvm-firewall --reload <vm> in theory should reload the table, and usually it has helped in the past

Still trying to track down my issue here and what caused it. I changed a couple things

barto · November 28, 2024, 10:02pm

Without digging into the inner works of the Qubes firewall, you can add a cron job in dom0 to run something like:

qube="YOUR_QUBE_NAME"; qvm-ls --running --raw-list | grep -q "^${qube}$" && qvm-firewall --reload ${qube} >/dev/null 2>&1

which will check if YOUR_QUBE_NAME is running, and if yes, it reloads its firewall rules.
It’s not very resource-intensive, so you can run it every 2-3 minutes… or 5. I don’t know how often the lastpass IP changes and how often you use it.

spamiam · December 9, 2024, 7:52pm

Hey all, its blocking lastpass again

I had exact same issue yesterday with another website as well, in another VM

For lastpass I have

[sys-net]  <--  [sys-firewall-lastpass] <-- [lastpass vm]

In my lastpass VM, when I type in host lastpass.com, I get

;; communications error to 10.139.1.1#53: timed out
;; communications error to 10.139.1.1#53: timed out
;; communications error to 10.139.1.2#53: timed out
;; no servers could be reached

The result of cat /etc/resolve.conf in any of my VMs is

nameserver 10.139.1.1
nameserver 10.139.1.2

Arts, crafts and sciences uplift the world of being and are conducive to its exaltation

spamiam · December 9, 2024, 7:58pm

When I use another VM thats connected to my sys-firewall, i.e.

[sys-net] <-- [sys-firewall] <-- [qubes-forum]

When I do host lastpass.com I get

[user@qubes-forum ~]$ host lastpass.com
lastpass.com has address 184.25.196.20
lastpass.com mail is handled by 5 mxa-00771101.gslb.pphosted.com.
lastpass.com mail is handled by 5 mxb-00771101.gslb.pphosted.com.

Then in sys-firewall-lastpass when I do sudo nft list table ip qubes-firewall

I get

[user@sys-firewall-lastpass ~]$ sudo nft list table ip qubes-firewall
table ip qubes-firewall {
	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept
		iifname != "vif*" accept
		ip saddr 10.137.0.14 jump qbs-10-137-0-14
	}

	chain prerouting {
		type filter hook prerouting priority raw; policy accept;
		iifname != "vif*" ip saddr 10.137.0.14 drop
	}

	chain postrouting {
		type filter hook postrouting priority raw; policy accept;
		oifname != "vif*" ip daddr 10.137.0.14 drop
	}

	chain qbs-10-137-0-14 {
		accept
		reject with icmp admin-prohibited
	}
}

spamiam · December 9, 2024, 7:59pm

Running qvm-firewall --reload sys-firewall-lastpass does nothing

[username@dom0 ~]$ qvm-firewall --reload sys-firewall-lastpass
NO  ACTION  HOST                          PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  content.product.lastpass.com  tcp       443      -               -          -       -
1   accept  data.product.lastpass.com     tcp       443      -               -          -       -
2   accept  lastpass.com                  tcp       443      -               -          -       -
3   accept  www.lastpass.com              tcp       443      -               -          -       -
4   accept  -                             -         -        dns             -          -       -
5   accept  -                             icmp      -        -               -          -       -
6   drop    -

DVM · December 9, 2024, 9:06pm

These rules must be on the qube itself, not on the firewall qube.
Doing it this way will apply the rules to the netvm of the sys-firewall-lastpass qube, which is probably not what you want to do.

spamiam · December 14, 2024, 9:25pm

Ok, I finally found the part in the doc about firewalls that says that. Though it wasn’t too clear

Thank you, things have been running more smoothly since I switched to putting the firewall rules in the app vm

But it seems I need to have a separate sys-firewall-‘app-specific-vm’ for each app vm that has its own firewall rules

Is that true? Cuz otherwise if I just have the firewalled app vm connected to sys-firewall it seems that all other app vms cannot access the internet

DVM · December 14, 2024, 10:16pm

The rules are separated by app qube, so if you restrict certain IPs through the app qube firewall, the other qubes will still keep their original rules that allow all traffic. If you lose Internet access on other qubes, then something else is wrong.

spamiam · December 30, 2024, 11:11pm

Hi, I’m still having problems on and off. I have the following setup:

[sys-net] <=== [sys-firewall-lastpass] <=== [lastpass]

sys-firewall-lastpass is a fully volatile vm with the sys-firewall service enabled through the custom input entry

I set the firewall rules in the lastpass vm

doing qvm-firewall --reload lastpass in dom0 terminal does nothing

When I run host lastpass.com in the lastpass vm terminal, I get

lastpass-host-cmd

Enabling the allow full access for 1 min option in the lastpass VM does not help. Shutting down both lastpass and sys-firewall-lastpass, enabling allow full access for like 10 min and then starting both again does not help either

I think rebooting the machine does help though

solene · December 30, 2024, 11:13pm

In the netvm chain, do you have a qvm-firewall rule blocking port 53?

spamiam · December 31, 2024, 2:26am

Thats sys-firewall-lastpass?

I don’t think so

I did this in dom0: SECRET_USER_NAME@dom0 ~$ qvm-firewall sys-firewall-lastpass list

and it gave

0   accept  content.product.lastpass.com  tcp       443      -               -          -       -
1   accept  data.product.lastpass.com     tcp       443      -               -          -       -
2   accept  lastpass.com                  tcp       443      -               -          -       -
3   accept  www.lastpass.com              tcp       443      -               -          -       -
4   accept  -

But in the UI for that, those rules were greyed out since the “Allow all outgoing traffic” option was selected

After doing qvm-firewall sys-firewall-lastpass reset and then booting the lastpass + netvm pair, I still had the same issue

But then after shutting down all VMs, including another app vm + sys-firewall-[that app vm] pair with firewall rules, now it works and I can get an IP address from lastpass.com

Do you think those rules could be triggering a bug that was blocking port 53? I’ll see if this continues working

Firewall blocks *everything* including whitelisted sites all of a sudden

Firewall blocks everything including whitelisted sites all of a sudden