search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
534 stars 46 forks source link

Explain limitations of Qubes firewall regarding domain name - IP incongruence to avoid false sense of security #8809

Open UndeadDevel opened 8 months ago

UndeadDevel commented 8 months ago

Qubes OS release

4.2

Brief summary

Browsing this page in my "github-web" qube with following (very non-refined) Qubes firewall rules (the first one is the two GitHub IPs, since it uses a very active load balancer):

NO  ACTION  HOST                           PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  140.82.121.3/4                 -         -        -               -          -       -
1   accept  about.gitlab.com               -         -        -               -          -       -
2   accept  api.github.com                 -         -        -               -          -       -
3   accept  avatars.githubusercontent.com  -         -        -               -          -       -
4   accept  collector.github.com           -         -        -               -          -       -
5   accept  github.com                     -         -        -               -          -       -
6   accept  github.githubassets.com        -         -        -               -          -       -
7   accept  gitlab.com                     -         -        -               -          -       -
8   accept  gitlab.xfce.org                -         -        -               -          -       -
9   accept  s3.amazonaws.com               -         -        -               -          -       -
10  accept  -                              -         -        dns             -          -       -
11  accept  -                              icmp      -        -               -          -       -
12  drop    -                              -         -        -               -          -       -

and clicking on one of the many links there with text "here", which point to this discussion on qubes-devel Google groups actually opened the link and loaded the discussion, even though that domain name is not whitelisted.

This turns out to be a known limitation of the way the Qubes firewall is implemented, but it is not explained in a prominent place.

Steps to reproduce

See above

Expected behavior

(Only whitelisted domains can be connected to when firewall is set to restricted mode.) Since this is not possible with the current firewall implementation, explain this limitation to the user in a prominent place to avoid users having a false sense of security.

Actual behavior

(Loads of non-whitelisted domains are successfully loaded (according to Firefox Network console):

Trying some other sites showed that most stuff seems indeed to be blocked, just not google apparently.) No prominent explanation of this severe limitation of the Qubes firewall is given by the system.

DemiMarie commented 8 months ago

I suspect this is not actually a bug, but rather a (severe) limitation of the current firewall: the firewall works at the IP level, but DNS names do not have a 1:1 relationship with IP addresses.

UndeadDevel commented 8 months ago

I suspect this is not actually a bug, but rather a (severe) limitation of the current firewall: the firewall works at the IP level, but DNS names do not have a 1:1 relationship with IP addresses.

Looks like you're correct! When trying to open those links again right after reloading the firewall for this qube (which will update all the IP addresses according to the listed domain names IIUC) the link doesn't load...I really gotta get a sys-proxy working again.

Closing...

github-actions[bot] commented 8 months ago

This issue has been closed as "not applicable." Here are some common examples of cases in which issues are closed as not applicable:

We respect the time and effort you have taken to file this issue, and we understand that this outcome may be unsatisfying. Please accept our sincere apologies and know that we greatly value your participation and membership in the Qubes community.

Regarding help and support requests, please note that this issue tracker (qubes-issues) is not intended to serve as a help desk or tech support center. Instead, we've set up other venues where you can ask for help and support, ask questions, and have discussions. By contrast, the issue tracker is more of a technical tool intended to support our developers in their work. We thank you for your understanding.

If anyone reading this believes that this issue was closed in error or that the resolution of "not applicable" is not accurate, please leave a comment below saying so, and we will review this issue again. For more information, see How issues get closed.

andrewdavidwong commented 8 months ago

A Qubes developer suggested reopening this. Reason: This should be explained by the system and not just ignored in order to avoid providing a false sense of security.

renehoj commented 8 months ago

https://www.qubes-os.org/doc/firewall/

Note that if you specify a rule by DNS name it will be resolved to IP(s) at the moment of applying the rules, and not on the fly for each new connection. This means it will not work for servers using load balancing, and traffic to complex web sites which draw from many servers will be difficult to control.

Doesn't it work as expected, and how it's described in the Qubes OS firewall documentation and Linux iptables documentation?

UndeadDevel commented 8 months ago

Doesn't it work as expected, and how it's described in the Qubes OS firewall documentation and Linux iptables documentation?

Basically, yes (though I didn't expect it to have that kind of elaborate effect where so many related non-whitelisted sites will be allowed under certain circumstances). That's why I closed the issue, but as per @andrewdavidwong a developer requested that this be kept open and changed to a UX issue regarding a more prominent warning to the user due to the security implications of the standard functionality.