search

mirage / qubes-mirage-firewall

A Mirage firewall VM for QubesOS
207 stars 28 forks source link

IPv6 support #113

Open jpds opened 4 years ago

jpds commented 4 years ago

Does this firewall support forwarding IPv6 packets? If I spin up a browser behind it, I can't navigate to http://ip6only.me/ - but this works fine when I use the standard sys-firewall.

I've also ran:

$ qvm-features sys-mirage-firewall ipv6 1
talex5 commented 4 years ago

Not at the moment:

https://github.com/mirage/qubes-mirage-firewall/blob/006801c03e48a47f9e0dd4023202d32e72dad47f/client_net.ml#L123-L126

hannesm commented 4 years ago

For starters (who're not deep into QubesOS), how does QubesOS hand out IPv6 addresses? I.e. (a) how is the firewall supposed to get their own IPv6 address? (b) how are IPv6 addresses organised for client VMs (i.e. what is the firewall exptected to handle)? (c) is the firewall supposed to NAT client-v6 data to their own v6 address (or pass it on?)?

I found some documentation: https://www.qubes-os.org/doc/networking/#ipv6

jpds commented 4 years ago

how does QubesOS hand out IPv6 addresses?

It appears to be using IPv6 link and unique local addresses handed out by Xen.

I.e. (a) how is the firewall supposed to get their own IPv6 address?

Also from Xen. I can't see radvd or dhcpdv6 running anywhere.

(b) how are IPv6 addresses organised for client VMs (i.e. what is the firewall exptected to handle)?

One of my VPN VMs (behind sys-firewall) has for example this as eth0:

$ ip -6 a
...
inet6 fd09:24ef:4179::a89:24/128 scope global

This is set as the default route of one of its client VMs:

$ ip -6 r
...
default via fd09:24ef:4179::a89:24 dev eth0 metric 1 pref medium

(c) is the firewall supposed to NAT client-v6 data to their own v6 address (or pass it on?)?

I cannot see a NAT, just forwarding rules - the normal Linux firewall VM is configured like this with nftables for a firewall locked down to a WireGuard host on sys-firewall:

table ip6 qubes-firewall {
    chain forward {
        type filter hook forward priority filter; policy drop;
        ct state established,related accept
        iifname != "vif*" accept
        ip6 saddr fd09:24ef:4179::a89:24 jump qbs-fd09-24ef-4179--a89-24
    }

    chain qbs-fd09-24ef-4179--a89-24 {
        ip6 daddr 2a01:...::/64 accept
        ip6 daddr 2a01:...::f00d udp dport 51820 accept
        ip6 nexthdr ipv6-icmp accept
        reject with icmpv6 type admin-prohibited
        reject with icmpv6 type admin-prohibited
    }
}

And here is the forwarding rules on the sys-vpn VM behind that:

table ip6 qubes-firewall {
    chain forward {
        type filter hook forward priority filter; policy drop;
        ct state established,related accept
        iifname != "vif*" accept
        ip6 saddr fd09:24ef:4179::a89:19 jump qbs-fd09-24ef-4179--a89-19
    }

    chain qbs-fd09-24ef-4179--a89-19 {
        accept
        reject with icmpv6 type admin-prohibited
    }
}
jpds commented 4 years ago

The addresses are indeed set in Xen/libvirt, they can be found in files in /var/lib/xen/:

    <interface type='ethernet'>
      <mac address='00:16:3e:5e:6c:00'/>
      <ip address='...' family='ipv4'/>
      <ip address='fd09:24ef:4179::a89:24' family='ipv6'/>
      <script path='vif-route-qubes'/>
      <backenddomain name='sys-firewall'/>
      <target dev='vif10.0'/>
    </interface>