Firewall by script: How to configure * and [N]?

User Support General
1

Currently I am whitelistening some Google services using a script like this, which works fine:

# Google
allow_google(){
qvm-firewall $fw_qube add accept proto=tcp dstports=443 dsthost=“accounts.google.com
qvm-firewall $fw_qube add accept proto=tcp dstports=443 dsthost=“calendar.google.com

}
allow_google

Now Google urges me to whitelist entries like “*.clients[N].google.com:443/HTTPS”, where [N] means any single decimal digit and * means any string not containing a period.

Is there some way to implement such a rule to my script?

2

Not with qvm-firewall.

You could try with iptables and pattern matching (aka regular expression aka regex).
Also note, from https://www.qubes-os.org/doc/firewall/#network-service-qubes:

In particular, if you want to ensure proper functioning of the Qubes firewall, you should not tinker with iptables or nftables rules in such qubes (a qube that is used to run the Qubes firewall service (usually sys-firewall))

Some starting point.
https://www.startpage.com/do/search?q=iptables+regex
https://www.startpage.com/do/search?q=iptables+pattern+match
spoiler: the algo seems to not be regex.
https://askubuntu.com/questions/1001847/how-to-use-regular-expression-with-iptables

3

Thank you for the answer, this does help a little bit. Seems like qvm-firewall has its limits.