Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Qube firewall traffic blocked when resolving hostname in "Firewall rules" fails #7499

Open
MichaelAnders opened this issue May 8, 2022 · 4 comments
Labels
affects-4.1 This issue affects Qubes OS 4.1. affects-4.2 This issue affects Qubes OS 4.2. C: networking needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. ux User experience

Comments

@MichaelAnders
Copy link

Qubes OS release

Qubes 4.1

Brief summary

If one hostname which is defined under "Firewall Rules" fails to resolve, the network is not accessible. All network traffic is blocked, even when using an IP. The packets are filtered by (according to "ping" output) the "Net qube".
It does not matter if "Allow all outgoing connections", "Limit outgoing connections to..." or "Allow full access for ,,," is selected.

Steps to reproduce

At least one hostname is specified as "Address" under "Firewall Rules" and such a hostname cannot be resolved

Expected behavior

Upon launching the Qube a notification is displayed for each hostname that cannot be resolved (alternative: "multiple hostnames cannot be resolved" instead of single hostname).
The network remains accessible, the failed hostname obviously not.

Actual behavior

Upon launching the Qube a notification is displayed for the first hostname that cannot be resolved. This notification will show only once even if multiple hostnames fail.
It does not matter if "Allow all outgoing connections", "Limit outgoing connections to..." or "Allow full access for ..." is selected: all network connections are blocked.

@MichaelAnders MichaelAnders added P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug labels May 8, 2022
@andrewdavidwong andrewdavidwong added C: networking ux User experience needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels May 8, 2022
@andrewdavidwong andrewdavidwong added this to the Release 4.1 updates milestone May 8, 2022
@3hhh
Copy link

3hhh commented May 9, 2022

No, the current behaviour is fine.

Assume a set of rules such as
deny somehost
allow all

If the Qubes firewall just continued when it has issues with somehost, it would inevitably lead to a potential security impact for the user (who might not even notice the issue). So failing closed is in the best interest of the user atm.

Whether the error message could be improved or not is the only point worth discussing.

@DemiMarie
Copy link

No, the current behaviour is fine.

Not always; see below.

Assume a set of rules such as deny somehost allow all

If the Qubes firewall just continued when it has issues with somehost, it would inevitably lead to a potential security impact for the user (who might not even notice the issue). So failing closed is in the best interest of the user atm.

In the case you mentioned, yes, but if a host in an allow rule fails, it should just be skipped (with a warning).

@3hhh
Copy link

3hhh commented May 9, 2022 via email

@andrewdavidwong andrewdavidwong added the affects-4.1 This issue affects Qubes OS 4.1. label Aug 8, 2023
@andrewdavidwong andrewdavidwong removed this from the Release 4.1 updates milestone Aug 13, 2023
@andrewdavidwong andrewdavidwong added eol-4.1 Closed because Qubes 4.1 has reached end-of-life (EOL) and removed needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels Dec 7, 2024

This comment was marked as outdated.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Dec 7, 2024
@DemiMarie DemiMarie reopened this Dec 14, 2024
@andrewdavidwong andrewdavidwong added needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. affects-4.2 This issue affects Qubes OS 4.2. and removed eol-4.1 Closed because Qubes 4.1 has reached end-of-life (EOL) labels Dec 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
affects-4.1 This issue affects Qubes OS 4.1. affects-4.2 This issue affects Qubes OS 4.2. C: networking needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. ux User experience
Projects
None yet
Development

No branches or pull requests

4 participants