Hello, I want to configure the firewall to block inbound connections, but the GUI shows nothing related to this. I need to set up sys-net to accept traffic only from a specific IP address–e.g., from a router. I’m using Mirage firewall between sys-net and proxyVM, and rebuilding the entire MirageOS just to add nftables rules is impractical.
Hi webgear,
By default, qubes that provide a network to other qubes do not allow inbound connections to their clients[1], and outbound connections are NAT-ed by their network qube[2]. In order for a qube to have a port exposed to the network, each qube in the networking chain must be configured via nftables rules to forward packets from its external interface to the next qube in the chain. For example, for a qube named QubeDest to receive packets on a port under the default Qubes networking setup, you must[1:1]:
- In the sys-net VM:
- Route packets from the outside world to the sys-firewall VM
- Allow packets through the sys-net VM firewall
- In the sys-firewall VM:
- Route packets from the sys-net VM to the VM
- Allow packets through the sys-firewall VM firewall
- In the qube QubeDest:
- Allow packets through the qube firewall to reach the service
I am unsure how this behavior would be implemented inside a Mirage sys-firewall. It seems that in order to implement such custom firewall rules in Mirage for Qubes, modification of its kernel code would be required[3].
I hope this helps 
1 Like
Dear @webgear, I’m sorry to hear that rebuilding the unikernel is impractical.
As @Arabesquery said, the current state of packet forwarding on qubes-mirage-firewall side is not a drop-in replacement for nftables and requires adding a dedicated code path (example shown in the branch linked by @Arabesquery).
This code path adds a slight overhead to packet processing, as it requires parsing the Ethernet header (for all packets) to check specific IP addresses. For the time being, I’m not particularly keen on the idea of adding this (even with an empty list by default) due to the overhead and more code means more maintenance/more potential bug, but there is space open for discussion if users need it.
2 Likes
Personally, lack of easily configurable input/forwarding is the only thing keeping me from trying Mirage out.
2 Likes
Qubes firewalling by default blocks NEW inbound connections, and allows
all outbound connections. This may be sufficient for you.
What is not clear is what you mean by “set up sys-net to accept traffic
only from a specific IP address”. Do you actually want sys-net to be
accessible from that IP, or do you want all traffic to be routed via that
IP?
In either case, you do this using nftables in sys-net. The mirage
firewall capabilities are not relevant.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
This probably isn’t the right place to discuss this, so please feel free to send me a DM or create a GitHub issue to let know what kind of interface you’d like to see for easily configuring input/forwarding. In my opinion, to keep the complexity and size of the unikernel under control, this would probably be limited to kernel parameters. So please feel free to give examples of how you’d like to use the unikernel (But I can’t promise that all wishes will be granted).
I want my sys-net or mirage firewall blocks/stop traffic unless he knows the internet traffic is coming from a specific external IP address.
I’m still uncertain.
- Do you want to allow INBOUND NEW connections but only from a specific IP
address? - Or do you want to allow only ESTABLISHED traffic that comes via a
specific upstream device? - Or something else?
By default Qubes has deny rules for NEW INBOUND connections - so if it’s
option 1 you have to add specific rules to allow NEW connections from
that IP address (and also route them through to the qube that is
intended to accept them.)
Otherwise, can you explain whether it is 2 or 3 and provide specific
details?
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
I want allow new inbound connections only from a specific IP address.
Allowing established traffic from an upstream device is fine, but it must be limited to only the traffic that come from that IP address, not all traffic that passes through the device.
Example
Router with Internet → IP Address 1.1.1.1 → Ethernet cable or Wifi → Qubes firewall (allow) → connections are permitted
Router with Internet → IP Address 2.1.1.1 → Ethernet cable or Wifi → Qubes firewall (block) → connection is denied.
Router with Internet → IP Address 1.1.1.1 → Ethernet cable or Wifi → Qubes firewall (allow) → connections are permitted
Router with Internet → IP Address 2.1.1.1 → Ethernet cable or Wifi → Qubes firewall (block) → connection is denied.
Disclaimer: I don’t know about Mirage. This is for nftables.
#!/usr/sbin/nft -f
table ip qubes {
chain custom-input {
ip saddr 1.1.1.1 accept
# not needed explicitly due to 'policy drop' in chain input:
ip saddr 2.1.1.1 drop
}
}
Put this in an executable /rw/config/qubes-firewall.d/my-custom-firewall.
I tried use this scheme but without success.
Are you sure this is supposed to work with my Internet IP address ?
Are you sure this is supposed to work with my Internet IP address ?
You asked about 1.1.1.1 and 2.1.1.1.
Assuming “my Internet IP address” means the IP address your ISP gives you when you connect to the Internet, that has nothing to do with incoming connections (inbound rules).
You can test your rules with logging and running sudo journalctl -f in another window. Then you will be able to see exactly what happens.
Another friend of yours can be tcpdump.
This is correct.
What do you advise me for this specific case ?
What do you advise me for this specific case ?
It is not a specific case. Every host on the Internet has an IP address.
Use default Qubes firewall.