Qubes OS 4.2 nftables / nft firewall guide

ddevz · November 16, 2023, 8:21pm

I agree. If you know nftables use nftables. If your lost, and don’t know the nftables equivilant to -A, it can be way faster to find it out by doing:
iptables-translate -A INPUT -s 1.1.1.1/24 -j ACCEPT
and getting:
nft add rule ip filter INPUT ip saddr 1.1.1.0/24 counter accept

rather then trying to look it up in a man page, or doing a google search on it, cause you already know exactly what the one side means.

procShield · November 17, 2023, 12:19pm

Agreed. Thanks for opening this topic, @Solene.

Btw, do you know why R4.2 used to work but the new update that made VPNs dysfunctional was viewed as an improvement? Were there leaks or security flaws? Online auditors and cli status showed my VPN configuration to be working with the values it was designed to. Is there something hidden in this iptables complexity you could elucidate?

And does anyone know what these “start” IPs refer to in the output highlighted here? What are -t -nat --flush PR-QBS all about? No simple path for Rise Up now, is there?

barto · November 17, 2023, 2:07pm

As a matter of fact, don’t forget that in R4.2, selinux is enabled by default, adding some more security but at the same time, making even a simple script startup from /rw/ more complex.

qubist · November 17, 2023, 3:58pm

in R4.2, selinux is enabled by default

Is there any more detailed info (documentation) about it?

procShield · November 17, 2023, 6:27pm

Whatever Mullvad VPN has done is compatible with the new configuration. If someone could figure out all that they did to make their GUI and integrations with Qubes other VPNs might be easier to make work.

So each VPN offering “framework” has a lot of specifics that need to be tailored to ip/nf tables now that whatever that was automating and streamlining the particulars it has been removed?

That means that if I want to make a remailer qube, yggdrasil, veilid, nym, freenet, etc I should definitely start by mastering iptables, right? Ambitious goal. But such a proposed muti-networking-modality computer would be an attractive acquisition…

DVM · November 17, 2023, 6:42pm

They have been using nftables in their Linux application for quite some time, so it works on Qubes 4.2.

You need to learn the syntax of nftables and how it works. iptables is considered deprecated and is already replaced by nftables under the hood in some distributions.

qubist · November 17, 2023, 7:16pm

iptables is considered deprecated and is already replaced by nftables under the hood in some distributions.

My information may be somewhat outdated but some months ago I have read that Android uses only iptables and most non-x86 architectures don’t support nftables at all. Of course, nftables is better and the way forward. Just sharing.

barto · November 17, 2023, 8:00pm

Of course!
4.2.0 Resease Notes
And, linked in the Release Notes:
SELinux support in Fedora qubes
(scroll towards the end, the thread starts in 2018)
On Feb 26 2023, marmarek (chapeau!) confirms that selinux is enabled by default in Fedora-based templates: Build Fedora templates with SELinux enabled from the start #7988

procShield · November 20, 2023, 5:21am

Ok. Read up on nftables. Still dont know how to, for starters, take an installation guide specific to Debian stable or bookworm and add something with nftables to make it work like it did before when R4.2 has iptables. nftables just organizes iptables more and corrects a few other security issues.

DVM · November 20, 2023, 2:26pm

If you have trouble with nftables, you can still use iptables-translate to get any iptables rule into nftables syntax. The only thing to keep in mind is that Qubes has created its own table called “qubes”, so if you are using nft, you will need to refer to it in your command.
You have some examples in this PR:

github.com

QubesOS/qubes-doc/blob/86a6f12e2a882dfffbc04818458589655843514d/user/security-in-qubes/firewall.md

---
lang: en
layout: doc
permalink: /doc/firewall/
redirect_from:
- /doc/qubes-firewall/
- /en/doc/qubes-firewall/
- /doc/QubesFirewall/
- /wiki/QubesFirewall/
ref: 166
title: Firewall
---

Understanding firewalling in Qubes
----------------------------------

Every qube in Qubes is connected to the network via a FirewallVM, which is used to enforce network-level policies.
By default there is one default FirewallVM, but the user is free to create more, if needed.

For more information, see the following:

This file has been truncated. show original

qubist · November 20, 2023, 3:15pm

I don’t know how it is in 4.2, but in 4.1, whenever I add an IPv6 address to the allow list, it does not show up in nft list ruleset. I wonder if this is a bug.

Can anyone using 4.2 check this?

DVM · November 20, 2023, 3:17pm

What’s your nft command?

apparatus · November 20, 2023, 4:25pm

IPv6 is disabled by default, you need to enable it explicitly:

qubist · November 20, 2023, 4:32pm

What’s your nft command?

Listed above.
I add the IPv6 address through the firewall tab in the qube settings UI.

apparatus · November 20, 2023, 4:45pm

I’ve tested this for R4.2 and it works with IPv6-enabled qubes.

qubist · November 20, 2023, 5:29pm

IPv6 is disabled by default

I didn’t know that. Thanks.

DVM · November 20, 2023, 5:38pm

I still don’t know why (I’m still checking the source code), but everything that is applied to sys-firewall from the GUI/CLI is set to its NetVM in the qubes-firewall table (sys-net in my case).

solene · November 20, 2023, 5:43pm

This is how the firewall works, when you edit a rule for a qube, it’s applied in its netvm so if the qube is compromised the firewall rules can’t be altered.

DVM · November 20, 2023, 5:46pm

I understand this, but if someone applies rules to sys-firewall, it goes to sys-net, which is more likely to be compromised. So the better way to apply rules, in the case of a VPN setup for example, is to set them on the VPN qube itself and not on sys-firewall I guess?

apparatus · November 20, 2023, 5:48pm

These Qubes firewall rules can only be applied from dom0.