Intercept traffic using net or firewall qube?

Because we have a firewall qube, I would think a simple task would be to have the firewall log URLs that go through it. For instance, I’m interested in any .rss files that go by so I can add them to a feed aggregator if I want. This would also be useful if a site downloads something slightly impolitely and I didn’t really want the download, but the URL pointing to the original file.
Is there a way to log URLs that go through the firewall qube? How about sysNet?

Have you looked at this:

I’ve created intermediary sys-mitm (mitmproxy) & sys-snitch (opensnitch) qubes to address situations such as this. sys-zeek could do this but, overhead for this case is overkill IMO.

Theoretically one could just install these to sys-net or sys-firewall but, I wouldn’t recommend due to the potential impact on integrity.

YMMV :hugs:

1 Like

Thank you, @Bishop and @cayce , I might end up installing one of those 3 tools.
However, I’d be quite surprised if there isn’t a way to do this “out-of-the-box” (without installing additional tools).

Keep in mind I don’t need to decrypt any info as all I need is URLs (I suppose it could even be IP address-based URLs if TLD ones aren’t available).

I’d like to avoid the RAM overhead of yet another (disposable?) qube if this can be done right inside of my existing net or fire qube, but without the negative impact @cayce mentioned of installing something new there.

If overhead is your concern (I run most service qubes w/512M RAM or less) and not global workflow, one quick & dirty way to do this would be in install tshark (CLI for WireShark) within your AppVM.

To automate, would be well paired with a systemd service.

How you utilize the data extracted would be up to you to automate.

IMO zeek is the best tool for this type of work but, not as user friendly for the uninitiated.

dnf can’t find package tshark:

No match for argument: tshark
Error: Unable to find a match: tshark

You can use nft to log traffic:
nft insert rule qubes-firewall forward oifname eth0 ct state new tcp dport { 80, 443 } log
This will log any NEW traffic to tcp ports 80 or 443, showing you IP.
But this isn’t what you want.

You could do this with tcpdump - not “out of the box” but small
package, easily installable and usable in sys-firewall. That will
capture the packets but you will need something else (wireshark?)to read
them - in that sense you do want to decrypt the traffic.
Or you could install tshark - lightweight, and CLI, capable of capturing
and analysing date.

You can’t have what you want

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

OK, I guess fedora is “cool like dat”. tshark is often bundled with wireshark.

Maybe you could try:

dnf install wireshark


Debian has it as a separate package, but Fedora includes under
wireshark-cli, I think.

1 Like

Thanks, this is correct (albeit confusing :thinking: for me).

dnf install wireshark-cli

Ought do it.

Isn’t something like :
tcpdump | grep GET |
tshark | grep GET |
what the OP wants ?

I think tcpdump is probably what I want even though it isn’t built-in.

This is a very common attack against my machines. sys-net and sys-firewall are triggered into some fake update. So far open-snitch stops it.

You have a very big issue if sys-firewall is trying to do fake updates!


I do! There is a new trend to create hidden interfaces… Probably I should do a fresh reinstall or move to 4.2 (I tried it a few times and there are so many “things”/issues that drive me nuts.

Is there a separate topic about this problem (there should be!)? How would I go about testing to see if I have the same problem?