Clarify firewall documentation regarding custom NAT rules

sjug commented 2 years ago

Background

"In ProxyVMs (or app qubes with qubes-firewall service enabled), scripts placed in the following directories will be executed in the listed order followed by qubes-firewall-user-script at start up. Good place to write custom firewall rules." (config files)

"... for all qubes except those supplying networking, iptables commands should be added to the /rw/config/rc.local script. For app qubes supplying networking (sys-firewall inclusive), iptables commands should be added to /rw/config/qubes-firewall-user-script." (firewall)

Qubes OS release

R 4.1.1

Brief summary

I am trying to set my own NAT rules for a VPN app qube. The VPN app qube provides network for other appvms, and I have also enabled qube-firewall service to see if that causes the script to be run (it doesn't). If I move the iptables commands to rc.local, it works as expected.

Steps to reproduce

Create appvm to use as a network providing qube (Advanced > Provides network), set up the VPN etc.
Set the new vpn qube as a netvm for another appvm.
Enable qubes-firewall service (optional?)
In the qubes-firewall-user-script modify PR-QBS in the NAT table: iptables -A PR-QBS -t nat ...
Check nat table: iptables -nvL -t nat

Expected behavior

We expect to see the qubes-firewall-user-script execute at least on boot, and add a rule to the nat table, PR-QBS chain.

Actual behavior

Does not seem to execute or have any effect.

unman commented 2 years ago

Can you confirm that you can set other chains? (I am confident that you will be able to do so.)

sjug commented 2 years ago

@unman You're correct, I created a new chain and it is created by qubes-firewall-user-script. I suppose this means that the qubes-firewall-user-script is executed before whatever creates the PR-QBS chain? Is there any way to modify existing chains other than rc.local? AFAIK the qubes-firewall-user-script is the last configurable firewall script location that is run.

unman commented 2 years ago

On Wed, Jul 27, 2022 at 09:17:03AM -0700, Sebastian Jug wrote:

@unman You're correct, I created a new chain and it is created. I suppose this means that the qubes-firewall-user-script is executed before whatever creates the PR-QBS chain and it's overwritten? Is there any way to modify existing chains other than rc.local?

I think you are right. You can modify this from a (late starting) nft script, called from systemd. But that means there is an open window before the script is run

not an issue if it is permissive.

3hhh commented 2 years ago

This is no bug, but a user error / misunderstanding. Please close.

@sjug The qubes-firewall-user-script is ecxecuted once on Qubes firewall start as documented. If you want your own NAT rules, you can place them at whatever time in the PREROUTING chain before PR_QBS. However you are not supposed to modify PR_QBS. That is fully managed by Qubes OS at runtime and will change over time. If you do some stuff in there, don't be surprised that it disappears.

unman commented 2 years ago

I believe this is a documentation bug, and should be left open until that has been resolved. Changing the title to reflect the actual issue would be helpful, and changing tags.

andrewdavidwong commented 2 years ago

If anyone reading this is able to help with the documentation here, please feel free to open a PR.

For those who are not already aware, the documentation is a community effort, and everyone is welcome to contribute. That's often how things like this get updated. You can read more about how to submit documentation changes here:

https://www.qubes-os.org/doc/how-to-edit-the-documentation/

You may also be interested in the documentation style guide:

https://www.qubes-os.org/doc/documentation-style-guide/

QubesOS / qubes-issues