Trying do disable most ipv4 traffic

And while allowing all ipv6 (::/0), apparently i allow all traffic:

[user@dom0 ~]$ qvm-firewall calendar add --before=1 accept proto=tcp dst6=::/0
[user@dom0 ~]$ qvm-firewall calendar list
NO  ACTION  HOST        PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  10.0.0.0/8  -         -        -               -          -       -
1   accept  -           tcp       -        -               -          -       -
2   accept  -           -         -        dns             -          -       -
3   accept  -           icmp      -        -               -          -       -
4   drop    -           -         -        -               -          -       -

I used

2000::/4

instead
is this a bug or am i just bad at using firewall rules? (maybe both :smiley: )

It seems to be a bug with ::/0 destination:

$ qvm-firewall tst
NO  ACTION  HOST      PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   drop    -         udp       -        -               -          -       -
1   drop    2000::/3  tcp       -        -               -          -       -
2   drop    ::/1      tcp       -        -               -          -       -
3   drop    -         tcp       -        -               -          -       -
4   accept  -         -         -        -               -          -       -
table ip qubes-firewall {
        chain qbs-... {
                ip protocol udp reject with icmp admin-prohibited
                ip protocol tcp reject with icmp admin-prohibited
                accept
                reject with icmp admin-prohibited
        }
}
table ip6 qubes-firewall {
        chain qbs-... {
                ip6 nexthdr udp reject with icmpv6 admin-prohibited
                ip6 nexthdr tcp ip6 daddr 2000::/3 reject with icmpv6 admin-prohibited
                ip6 nexthdr tcp ip6 daddr ::/1 reject with icmpv6 admin-prohibited
                ip6 nexthdr tcp reject with icmpv6 admin-prohibited
                accept
                reject with icmpv6 admin-prohibited
        }
}

Can you report it on guthub?

thanks for checking, i opened an issue as suggested:

1 Like