Firewall configuration

Hello,

I am attempting to set up the following configuration:

sys-net → sys-firewall → vpn → vpn-firewall → appvm

I am working on configuring the firewall rules for the vpn-firewall using qvm-firewall. However, I am having issues. I have tried to allow the VPN IP, port, DNS, and ICMP, as well as create apart rules to accept the local IP of the vpn qube, port, DNS, and ICMP. While I can successfully ping google.com and 1.1.1.1, I am unable to open Google in Firefox.

Can someone give me a hint on how to set this up correctly? I want to allow only VPN traffic from the VPN through the VPN firewall to the appVM.

Thank you!

See relevant section. Might help until someone more knowledgeable jumps in.

I recommend reading this thread.
Even if your VPN is not using wireguard, the qvm-firewall hardening method described by @solene is valid.

1 Like

Hi guys,

Thank you for your help. The provided guides only work for the VPN Qube. I am trying to set up the VPN firewall so that it only accepts VPN traffic and drops any other traffic. So far no luck, I have used the solene firewall rule but it didn’t work.

qvm-firewall vpn-firewall add accept dsthost=(endpoint)
qvm-firewall vpn-firewall del --rule-no 0

It didn’t work in which way, is it blocking too much or not enough?

Can you share the output of qvm-firewall qube-name?

It’s blocking too “much”. For example I just want to access the internet and it doesn’t work, the page doesn’t load. Pinging does work.

Output of vpn-firewall

NO  ACTION  HOST                           PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  <endpoint_vpn_ip_wireguard>/32  -         -        -               -          -       -

Just to clarify this is a net → firewall → vpn → vpn-firewall → appvm. Configuring on vpn-firewall

You have a DNS issue in the VPN qube.

Hmm, I tried different dns options and still the same issue
I’ve updated my firewall rules and still no change.
I can ping 1.1.1.1 and google.com but I can’t enter google.com via firefox…

qvm-firewall vpn-firewall
NO  ACTION  HOST             PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  <endpoint_vpn_ip_wireguard>/32  -         -        -               -          -       -
1   accept  -                icmp      -        -               -          -       -
2   accept  -                -         -        dns             -          -       -

The extra rules are not useful, the VPN prevents traffic to go there.

Can you try to type this in the VPN qube, if using DNS 9.9.9.9 if fine for you for a test:

DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"

if it works, it means your VPN qube is not able to provide DNS to other qubes using it as a netvm. We could sort this out once we know it’s the issue.

It has always been a mess, I need to find a proper solution I guess.

1 Like

Hi,

Thanks for your help,

Those firewall rules for the DNS were already added, I switched from mullvad dns to 9.9.9.9 and still it didn’t work.

If I reset the rules on the vpn-firewall with qvm-firewall everything works so it’s only when I add rules to qvm-firewall to the vpn-firewall

Sorry, I misread. if you can ping google.com it means it means DNS is working.

do you try to connect to websites from the vpn qube, or a qube using the vpn as its netvm?

I try to connect to the websites via an appvm, using the vpn-firewall as its netvm
VPN ↔ VPN-Firewall ↔ AppVM (firefox: google.com)

does it work from the VPN firewall?

Yes, I am on mirageos firewall though but I assume dns works because it can passthrough everything without any firewall rules

can you try to run this in the vpn firewall and try to use the appvm?

DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"

My edit didn’t go through on the previous post, anyways forgot to mention that I run the firewall on mirageos. I cant add that to mirage firewall.

the firewall rules must be applied on the VPN qube, not the VPN firewall

These rules are currently applied to VPN qube, no change still the same issue.

DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"

I can’t run the rules you sent on the MirageOS vpn firewall, so it might be a mirageos firewall issue?

Sorry, I meant the qvm-firewall rules.

Running the following firewall rules on the VPN qube and VPN-firewall qube

qvm-firewall vpn
NO  ACTION  HOST             PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  <endpoint_wireguard_ip>/32  -         -        -               -          -       -

Still having the same issue.