Application firewall

I would like to use application-specific firewall-rules in qubes.
Since each AppVM has its purposes and each should be allowed to access only what it needs, same goes for applications.

  • I would like to block certain domains and URLs. I prefer not to trust Firefox add-ons, and other applications that need some internet access don’t have URL-based blocking/filtering abilities.
  • I would like to allow specific (Port / URL-Based) “pin-hole” internet access only to applications who need it (everything else should be denied).
  • I’m guessing that asking to be able to set protocol-specific rules is irrelevant because it requires the app-firewall to correctly identify protocol based on traffic inside (usually)encrypted session, which brings us to ssl-inspection and MITM and makes it all much more complicated and resource heavy. (…but why not dream big. So i’ll just put it here anyway)
  • I would like to see a log (even be alerted?) about application that deviated from where it’s supposed to go.
  • Obviously, different rules will apply to same applications residing inside different AppVMs

I would love to hear your thoughts on the matter.

(I was very surprised that application firewall feature isn’t mentioned anywhere, assuming I didn’t miss anything, and am posting all of this for nothing)

1 Like

I was very surprised that application firewall feature isn’t mentioned anywhere

See my PoC here:
http://zrubi.hu/en/2017/traffic-analysis-qubes/
(and note the date :wink:

and a recent topic here:

and just for the record: the default Qubes Firewall:

(but this is based on IP/Port fitlerering only)

@Zrubi Thank you, however:

  • Your PoC with suricata doesn’t provide a solution for “VM-specific Application-Firewall”
  • The topic you pointed to doesn’t deal with “VM-specific Application-Firewall”
  • Qubes Firewall is indeed “VM-specific” but is most certainly NOT “Application-Firewall” and, as you noticed, is also limited to IP/Port filtering only.
    I’m looking for something more, which will be in integral part of Qubes-OS and will not require users to manually install a separate proxy-vm for each and every AppVM :slightly_smiling_face:

I’m looking for something more, which will be in integral part of Qubes-OS and will not require users to manually install a separate proxy-vm for each and every AppVM

Well, there is no such thing ready for use, I’m afraid.

My PoC however shows you the way how to transparently catch an analyze the traffic going through a proxy VM. You can replace suricata with any other application level firewall (but there is not too many alternatives out there)

The VM specific part is ‘only’ the rules you define for a particular VM.
So the missing piece is:

  • interface for defining application leve rules
  • implementation to dynamicly assign those rules to the used application level firewall.

That’s exacly how the qubes firewall works btw (but with a packet filter at the ‘end’), so the working example is there :wink:

What is currently working if you follow my PoC:

  • you can filter for URL
  • you can log the traffic of your VMs

but surely you need to create rules manually, and staticly assign your VMs.

For the logging part, I also did PoC for central log collecting:

or if you thinking outside of your Qubes:
http://zrubi.hu/en/2017/siem-at-home/

Unfortunately I’ve no free time implement those ideas to a fully working and user friedly solution - but it shows you a way how it would work.

And ofc. if anybody would willing to work on those ideas, I’m willing to help. - but nobody was interested about such features duringthe last ~4 years - or they just keep it in secret :wink:

So, waiting for your requested features… is just pointless. (but at least very optimistic)
Let’s start actually implementing it instead. :slight_smile:

I will definitely take a closer look at your SIEM@Home project. it looks cool.
You said “…nobody was interested about such features during the last ~4 years - or they just keep it in secret”.
Things change all the time and I believe awareness to information security has increased in the last years and will continue to increase. So here I am, saying it out loud, and maybe it’ll catch the eye and interest of other people :slightly_smiling_face:
Searching around, I saw many projects related to Firewall, and a few projects of Application Firewall (for Linux ofcourse, other OS has application firewalls since the late 90’s) so maybe there is a rising interest.
Interested people - let us hear you! :sunglasses:

This does not satisfy all your requirements but is quite practical:

1 Like

Thanks, it adds filtering with URL but isn’t application-specific, and also (if i understand it correctly) require a separate proxyVM for each and every Domain/AppVM.

require a separate proxyVM for each and every Domain/AppVM.

No, you can use the same proxy for several VMs - the very same way as the qubes firewall works.
(this is alos true for my PoC ofc)

When using one ProxyVM to all AppVMs, how do I set a certain rule for Firefox in one AppVM but different rule for Firefox in a different AppVM ?
Also, how do I set one rule for Firefox and a different one for Thunderbird (both regarding HTTP access)?

You can identify your client VM by it’s internal IP address.
So you can prepare the rules accordingly.
Once a VM created it’s IP kind of static, see by:
qvm-ls --network

But, you just can’t make a difference by Appalications inside a VM.
Only if they are running in a different VM.