Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Contribution] qubes-network-topology #2575

Open
andrewdavidwong opened this issue Jan 13, 2017 · 10 comments
Open

[Contribution] qubes-network-topology #2575

andrewdavidwong opened this issue Jan 13, 2017 · 10 comments
Labels
C: contrib package C: networking community dev This is being developed by a member of the community rather than a core Qubes developer. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. S: needs review Status: needs review. Core devs must review contributed code for potential inclusion in Qubes OS. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. ux User experience

Comments

@andrewdavidwong
Copy link
Member

andrewdavidwong commented Jan 13, 2017
edited
Loading

Community Dev: @Zrubi
PoC: https://gist.github.com/Zrubi/6229d5400bde987b1aa8da516553b909

Several users over the years have requested a feature that allows them to visualize the topography of their VMs in the form of a graph, and some of our users have even developed tools that accomplish these. We should consider selecting and integrating one of these tools into Qubes.

Discussion threads:
@andrewdavidwong andrewdavidwong added C: other T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. help wanted This issue will probably not get done in a timely fashion without help from community contributors. labels Jan 13, 2017
@andrewdavidwong andrewdavidwong added this to the Far in the future milestone Jan 13, 2017
andrewdavidwong added a commit that referenced this issue Jan 13, 2017
@andrewdavidwong
Track #2575
5cc9ca5
@andrewdavidwong andrewdavidwong added community dev This is being developed by a member of the community rather than a core Qubes developer. S: needs review Status: needs review. Core devs must review contributed code for potential inclusion in Qubes OS. and removed help wanted This issue will probably not get done in a timely fashion without help from community contributors. labels Jun 9, 2019
@andrewdavidwong andrewdavidwong modified the milestones: Far in the future, Release 4.1 Jun 9, 2019
@andrewdavidwong andrewdavidwong added the P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. label Jun 9, 2019
@andrewdavidwong andrewdavidwong changed the title Consider integrating VM topography visualization tool [Contribution] qubes-network-topology Jun 9, 2019
@andrewdavidwong
Copy link
Member Author

@Zrubi, would you be willing to package your contribution following our new package contribution procedure?

@andrewdavidwong andrewdavidwong mentioned this issue Dec 11, 2020
Closed
@ninavizz
Copy link
Member

Commenting to get this on my radar. @andrewdavidwong mind adding the UX tag to this? Seems like a nice add-on feature to a future redesign of Qubes Manager.

@andrewdavidwong andrewdavidwong added the ux User experience label Dec 30, 2020
@andrewdavidwong
Copy link
Member Author

Commenting to get this on my radar. @andrewdavidwong mind adding the UX tag to this? Seems like a nice add-on feature to a future redesign of Qubes Manager.

Added!

@deeplow
Copy link

deeplow commented Dec 30, 2020

@ninavizz I also have some thoughts on this.

For example, I've identified it as a trend users misunderstanding the purpose of sys-firewall and they often end up connecting directly to sys-net. A network topology visualizer could add some visual warnings explaining as to why this may not be a good idea if the user doesn't understand the implications.

@ninavizz
Copy link
Member

@deeplow sys-net isn't what I connect through?? Good to know! Yeah, only geeks know to connect directly to a firewall, I guess? I like your thinking that it's a good place to provide guidance on how to best configure one's system for safety.

There's a separate issue I'd like to file to also create a new feature to give users insight into their hardware, w/o requiring CLI things. Like, I really need that info to know if I can upgrade my memory, what my storage situation is, and what my monitor support options are. I'll be creating a ticket for that, separately, but this feels like it'd fit perfectly into that.

@marmarek could we pull the 4.1milestone from this? I'd rather not bloat that release with this, tbh. This feels like it'll add too much additional testing into existing 4.1 backlog stuff... and I think users wd rather get the rest of the 4.1 goodness, before waiting on this?

@deeplow
Copy link

deeplow commented Dec 31, 2020
edited
Loading

@deeplow sys-net isn't what I connect through?? Good to know!

Yup. Exactly. I think this is one big security issue due to end-user misconfiguration caused to lack of awareness of the purpose of sys-firewall. As far as I understand it AppVMs should be connected to like this:

Correct:

  • sys-net <- sys-firewall <- work
  • sys-net <- sys-firewall <- sys-vpn <- work

Incorrect:

  • sys-net <- work
  • sys-net <-sys-vpn <- work

Otherwise the will be no network firewall isolation between VMs. But I need to do some more reading on this as well.

@andrewdavidwong andrewdavidwong modified the milestones: Release 4.1, TBD Jan 1, 2021
@Zrubi
Copy link
Member

Zrubi commented Jan 4, 2021 via email

@deeplow
Copy link

deeplow commented Jan 4, 2021

So in practice, you can run the same services in your "sys-vpn" - or whatever you call it. Then there will be NO security degradation, but you just save an extra NAT and an extra VM with all it's resource needs.

Advanced users understand what they are doing and know which warnings they can dismiss. There is no need to protect those users.

The key goal here would be to prevent less technical users from shooting themselves in the foot.

@3hhh
Copy link

3hhh commented Jan 8, 2021

Alternatives from #6269:

@ghost
Copy link

ghost commented Dec 7, 2022

Another alternative https://github.com/hexstore/qubes-proxy

@andrewdavidwong andrewdavidwong removed this from the Release TBD milestone Aug 13, 2023
@marmarek marmarek removed their assignment Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: contrib package C: networking community dev This is being developed by a member of the community rather than a core Qubes developer. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. S: needs review Status: needs review. Core devs must review contributed code for potential inclusion in Qubes OS. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. ux User experience
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@marmarek @Zrubi @ninavizz @andrewdavidwong @3hhh @deeplow