Security hazard? Why can I ping from a "limit outgoing connections = nothing" qube?

I have a VM that has sys-firewall as netqube. However under firewall rules, I set “limit outgoing connections to…” with nothing underneath. (Actually my real setup is having local LAN address there, but I removed that for this post to better demo my issue.)

Although I can’t web browse to e.g. qubes-os.org (nice), can anyone tell me… why can I run “ping qubes-os.org” (very bad!)?

Is this a security hazard? I was expecting NO internet access, but turns out the qube could ping the internet all along!?

1 Like

On the same firewall tab, you will see a note at the bottom explicitly stating that DNS and ICMP requests will still pass through the firewall even if it is set to block outgoing connections.
If you want to remove these, you will need to use the qvm-firewall cli tool from a dom0 terminal.

4 Likes

Thanks, will mark this as solved.

However can someone ping the Qubes team on this?

My opinions only:

  • The current UI is very dangerous.
  • First, when “limit outgoing connections to” is selected, the warning about ping/icmp should appear in red color (to make it more obvious).
  • Even if I delete ping/icmp using qvm-firewall, when I modify those IP addresses again, those ping/icmp allow rules just magically come back. Very unexpected/dangerous. (What about at least showing the output of qvm-firewall <qubename> list right there in the UI? This way the user would see those ping/icmp things pop back in place.)
1 Like

I remember seeing some similar suggestions in the past, but nothing was done about it. It’s probably because you can’t control it from this interface.
For your usage, I think it would be better to familiarize yourself with the qvm-firewall cli instead of the interface, since it gives you more control over what you want to allow.

1 Like

the firewall UI should be disabled after you used qvm-firewall with the red message Firewall has been modified manually. Please use the ‘qvm-firewall’ command in dom0 for any further configuration.

2 Likes

I even noticed that just hitting OK on the VM’s settings (even if the “firewall” tab is never opened), all the previous changes to qvm-firewall are just overwritten (and those ping/icmp just pop right back in place).

Anyone here agrees this is a serious security vulnerability? (How is the user supposed to expect such behavior?) Can someone here notify the devs?

1 Like

did you open the qube settings before running qvm-firewall? If saying “ok” to close the settings window it removes all qvm-firewall rules, it’s a race condition and it’s indeed a security issue that should be reported.

See Issue tracking | Qubes OS for the process, don’t hesitate to ask for help if you need.

2 Likes

I have no github account… hope someone here can report this over there.
In the meantime I’m just putting “SEEQVMFIREWALL” into my qube name.

1 Like

Do you know how to fully reset the firewall, such that I can once again start configuring the firewall using the GUI? Apparently just doing reset with qvm-firewall doesn’t go that far.

Is it really a one way street? Once you’re into qvm-firewall, there’s no turning back?

Using qvm-firewall qube_name reset should do the trick. You should be able to reuse the firewall tab in the qube settings.