[qubes-users] Default firewall configuration for dns/icmp of VMs with restricted access

Hi!

In the default firewall setup if a VM is restricted via UI using "Limit outgoing Internet connections to ..." 2 rules are added before "drop all packages":

[prompt]$ qvm-firewall vm

NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 accept www.qubes.org tcp 443 - - - -
1 accept - - - dns - - -
2 accept - icmp - - - - -

Namely:
accept dns
and
accept icmp

1. Is my assumption correct that by that it's possible to exfiltrate data to any destination server using dns/icmp?
2. What are practical solutions to mitigate that?
  a) delete "accept dns/icmp" rules in the firewall and add the corresponding IPs to the restricted domains/ips in /etc/hosts of the vm?
  b) using pihole as dns resolver and restrict the access there?
  c) more useful solutions?

Thanks, P

liked2@gmx.de:

accept dns
and
accept icmp

1. Is my assumption correct that by that it's possible to exfiltrate data to any destination server using dns/icmp?

Yes.

2. What are practical solutions to mitigate that?
  a) delete "accept dns/icmp" rules in the firewall and add the corresponding IPs to the restricted domains/ips in /etc/hosts of the vm?

This is the simplest approach and what I do on a couple AppVMs. You'll have to use the qvm-firewall command to delete them.

Btw I still consider this hideous firewall GUI an anti-feature and would wholeheartedly support anyone complaining about it at qubes-issues.

I don't agree to this statement as the GUI firewall does mitigate some risks if used. Only providing a command line interface would mean that some people wouldn't (have the ability to) use it. For those who are brave enough to use the command line, they probably also will manage to understand the implications of using the UI.

What else is wrong with the firewall GUI besides the fact of the both hidden dns/icmp specialities?