Restricting a qube to selected websites

It’s just a change of the filename used in this step:

So you would create the file /etc/qubes-rpc/policy/qubes.ConnectTCP+8888 instead of editing etc/qubes-rpc/policy/qubes.ConnectTCP. I believe that all this change does is make the configuration a bit more secure by preventing my-qube from connecting to any ports on my-proxy other than 8888. You will still need the Firefox proxy edit.

It don’t see why it wouldn’t work - but I don’t have much experience with VPN’s (in general or in Qubes OS). Let me know if you get it working!

I’ll have to look into that.

2 Likes

Thank you @Rooftop for your answers. I have one more question. Would you know how to setup Thunderbird in my-qube running, for example, Gmail IMAP (Ports 993 and 465, I believe)

You need to enable networking in my-qube (ie. set Networking to sys-firewall in Qube Settings) and then select Limit outgoing internet connections and add firewall rules to allow access the required addresses/hostnames for ports 993 and 465 (or whatever ports are required).

For a service like GMail that uses multiple IP addresses, you may need to set the address to * (if allowing connections on ports 993 and 465 to any host is acceptable to you).

Web browsing will still be forced to go via the proxy as you haven’t allowed ports 80/443 through the firewall.

Thank you for the reply. I tried the following and failed to get Thunderbird with a Gmail account to work. It failed to connect to the Internet. Would you know what I did wrong?

What error are you getting? The firewall setup looks all right to me.

It just occurred to me that for Gmail, Thunderbird might need you to login in to your Google account via the web - try changing the connection settings in Thunderbird (under Preferences, scroll down to Network & Disk Space) to use localhost port 8888 as the HTTP/HTTPS proxy.

Thunderbird acts as if there’s no internet. That’s it. It cannot reach gmail.

I had tried that before asking you about Thunderbird. While the calendar provider did work via port 8888 and my-proxy (calendar is not google), the IMAP email failed to sync. It behave as if it was not connected to the internet.

If there is an error, the exact error message may help me (maybe :slight_smile: ).

Did you have the proxy setup in thunderbird before you added the gmail account?

If there a way to allow only http (no https) website? Is this possible with this approach? (Yes, this is no typo http only)

I think replacing the following two lines in the /rw/config/tinyproxy/tinyproxy.conf file:

ConnectPort 443
ConnectPort 563

with:

ConnectPort 0

will prevent HTTPS connections.

Cool I will try, when I have time. Thanks @Rooftop

One more question :slight_smile: can I simply do:

^\.com$

to allow only all *.com websites?

You can use \.com$ to only allow all .com sites. (Your pattern would only match .com itself)

While browsing around, I found this: How to run an HTTP filtering proxy.

It’s a bit more complicated than my setup, but does have the advantage of allowing you run use one proxy VM for multiple App VM’s (each with its own set of rules).

I haven’t tried it (my simple setup is adequate for my needs), but I though I’d mention it in case anyone else is interested…

1 Like

This is the error message. Nothing unusual.
failed to connect

No. I have my account already set-up and then I tested the proxy. When I tried to route Thunderbird via my-proxy, I checked the logs and they did not register a (denied) request other than the request for the calendar (via 8888).

Strange. Let me have a play and I’ll get back to you (I haven’t used gmail for years, so I’ll need to set it up again).

Ok. I have confirmed that gmail access does work with the firewall settings you have.

However…

  1. Setting up a new Gmail account while using the proxy didn’t work - thunderbird tried to contact a number of sites, and even after white-listing many of them, it still seemed to not work, possibly because of point 2 below.
  2. I don’t know how Gmail authenticates (OAuth?) and I don’t know if that can be made to work with the proxy setup.

Unfortunately, I have no interest in using Gmail, so I’m not very motivated to try fixing this problem :slight_smile:

P.S. The way I got it to work for testing was by manually configuring thunderbird using the settings here and then “allowing insecure applications” in my google settings - not something I would necessarily recommend…

1 Like

Thank you @Rooftop for your responses. Much appreciated. The answer to my problem was posted here:

@Rooftop if appropriate (and if not already done) do you think these last discussion points could be added to your guide?

Good idea. I’ll do that.

1 Like