Created
May 17, 2019 16:26
-
-
Save yomimono/24180504f7eac096988a0f4f24e938e9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I figured out some of the wiring for this script to clear out and add firewall rules. Change `ocamldev` to the dev VM you'll launch, and `fetchmotron` to the VM which is a client of the firewall under test if necessary (you should only need to do this in update-firewall). | |
In dom0: | |
make a file in /etc/qubes-rpc called yomimono.updateFirewall: | |
``` | |
sudo bash | |
cd /etc/qubes-rpc | |
cat << EOF >> yomimono.updateFirewall | |
/usr/local/bin/update-firewall | |
EOF | |
``` | |
make a policy file for updateFirewall: | |
``` | |
sudo bash | |
cd /etc/qubes-rpc/policy | |
cat << EOF >> yomimono.updateFirewall | |
ocamldev dom0 allow | |
``` | |
make the update-firewall script: | |
``` | |
sudo bash | |
cd /usr/local/bin | |
cat << EOF >> update-firewall | |
#!/bin/sh | |
# this script sets a deny-all rule for a particular VM, set here as TEST_VM. | |
# it is intended to be used as part of a test suite which analyzes whether | |
# an upstream FirewallVM correctly applies rule changes when they occur. | |
TEST_VM=fetchmotron | |
echo "Current $TEST_VM firewall rules:" | |
qvm-firewall $TEST_VM list | |
echo "Removing $TEST_VM rules..." | |
rc=0 | |
while [ "$rc" = "0" ]; do | |
qvm-firewall $TEST_VM del --rule-no 0 | |
rc=$? | |
done | |
echo "$TEST_VM firewall rules are now:" | |
qvm-firewall $TEST_VM list | |
echo "Setting $TEST_VM deny-all rule:" | |
qvm-firewall $TEST_VM add drop | |
echo "$TEST_VM firewall rules are now:" | |
qvm-firewall $TEST_VM list | |
EOF | |
chmod u+rwx update-firewall | |
``` | |
Then, in ocamldev VM, you should be able to initiate the change to fetchmotron's firewall rules: | |
``` | |
$ qrexec-client-vm dom0 yomimono.updateFirewall | |
Current fetchmotron firewall rules: | |
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT | |
0 drop - - - - - - - | |
Removing fetchmotron rules... | |
fetchmotron firewall rules are now: | |
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT | |
Setting fetchmotron deny-all rule: | |
fetchmotron firewall rules are now: | |
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT | |
0 drop - - - - - - - | |
``` | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment