Hi!
In the default firewall setup if a VM is restricted via UI using "Limit outgoing Internet connections to ..." 2 rules are added before "drop all packages":
[prompt]$ qvm-firewall vm
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 accept www.qubes.org tcp 443 - - - -
1 accept - - - dns - - -
2 accept - icmp - - - - -
Namely:
accept dns
and
accept icmp
1. Is my assumption correct that by that it's possible to exfiltrate data to any destination server using dns/icmp?
2. What are practical solutions to mitigate that?
a) delete "accept dns/icmp" rules in the firewall and add the corresponding IPs to the restricted domains/ips in /etc/hosts of the vm?
b) using pihole as dns resolver and restrict the access there?
c) more useful solutions?
Thanks, P