I recently switched the templateVM and appVM I’m using for my firewall qube. At first pass, it appears to be working fine. However, I’ve configured the firewall qube to block some of my other qubes (e.g. Work qube) from connecting to the internet except through specific IP addresses.
What is the best way to test to see if the IP blocking via the firewall appVM is working as intended? I’m pretty handy with the command line, but I’m not sure which utilities to use in this case.
I did a quick search on the forum, but didn’t see a discussion on this topic. But if people have links, I’m happy to read through them!
From your blocked appvm qubes try go to the commandline interface and ping any address other then your specified ip addresses. Make sure ping in enabled in your firewall - you can disable it again after testing. For example ping cloudflare dns ip: 1.1.1.1.
Example of a successful ping:
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=56 time=69.5 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=56 time=60.7 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=56 time=66.0 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=56 time=65.1 ms
For you a successful ping means your blockrule is NOT working.
Unsuccessful ping
ping 1.1.1.1
ping: connect: Network is unreachable
For you this means your blockrule is working.
For other users…
This little trick can help you check if your appvm is connected to the internet without having
to open up a website.
This is the simple way but there are more ways, check links below.
This is mostly networkworking knowledge. You can find more info on this on the RedHat Website :
Install tcpdump: this will only install tcpdump temporarily, until you shutdown/restart sys-net. Depending on your template, it’s “apt install tcpdump” or “dnf install tcpdump”
start tcpdump in sys-net, listening for a “forbidden” IP or service, like DNS
In your qube that should be restricted, initiate traffic to an IP that should be blocked
check in sys-net’s tcpdump that nothing gets through
