From 3b6901b5d2a36710dbd36606977afe9fb4c049f4 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Thu, 18 Jul 2024 16:18:36 +0200 Subject: [PATCH] fix: remove broken Signal firewall rules As NFTables converts domain names to IPs on the first query, it is not possible to depend on it to have a stable connection. Implementing a DNS proxy configuration might still be difficult due to the use of CDNs. --- salt/signal/README.md | 15 +-------------- salt/signal/create.sls | 4 ---- salt/signal/firewall.sls | 24 ------------------------ salt/signal/firewall.top | 10 ---------- salt/signal/init.top | 1 - 5 files changed, 1 insertion(+), 53 deletions(-) delete mode 100644 salt/signal/firewall.sls delete mode 100644 salt/signal/firewall.top diff --git a/salt/signal/README.md b/salt/signal/README.md index 4d5f802e..314abeb7 100644 --- a/salt/signal/README.md +++ b/salt/signal/README.md @@ -40,17 +40,4 @@ sudo qubesctl state.apply signal.appmenus You may use different Signal accounts for different identities, such as personal, work or pseudonym. Maintain the `signal` qube pristine and clone it -to the assigned domain, `personal-signal`, `work-signal`, `anon-signal`. If -you don't maintain the qube pristine, you will have to apply the firewall -rules manually. - -Signal might loose connectivity due to [upstream rotating IP -addresses](https://support.signal.org/hc/en-us/articles/360007320291) with the -use of [CDNs to evade -blocking](https://signal.org/blog/looking-back-on-the-front/). -You will have to reapply the firewall rules eventually. - -TODO: Is it worth using the firewall? If you allow all [cloudfront.net -IPs](https://ip-ranges.amazonaws.com/ip-ranges.json) for region "GLOBAL", what -is blocking an attacker from using that to host his malicious callback server? -Recently (2023-11-11) signal stopped working with the current firewall. +to the assigned domain, `personal-signal`, `work-signal`, `anon-signal`. diff --git a/salt/signal/create.sls b/salt/signal/create.sls index e7b50e3e..9963a9e6 100644 --- a/salt/signal/create.sls +++ b/salt/signal/create.sls @@ -8,7 +8,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later include: - .clone - - .firewall {% load_yaml as defaults -%} name: tpl-{{ slsdotpath }} @@ -52,6 +51,3 @@ features: - menu-items: "signal-desktop.desktop qubes-open-file-manager.desktop qubes-run-terminal.desktop qubes-start.desktop" {%- endload %} {{ load(defaults) }} - -{% from 'utils/macros/sync-appmenus.sls' import sync_appmenus with context -%} -{{ sync_appmenus('tpl-' ~ sls_path) }} diff --git a/salt/signal/firewall.sls b/salt/signal/firewall.sls deleted file mode 100644 index 40b16203..00000000 --- a/salt/signal/firewall.sls +++ /dev/null @@ -1,24 +0,0 @@ -{# -SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -"{{ slsdotpath }}-firewall": - cmd.run: - - require: - - qvm: {{ slsdotpath }} - - name: | - qvm-check -q --running -- {{ slsdotpath }} && qvm-pause -- {{ slsdotpath }} - qvm-firewall -- {{ slsdotpath }} reset - qvm-firewall -- {{ slsdotpath }} del --rule-no 0 - qvm-check -q --running -- {{ slsdotpath }} && qvm-unpause -- {{ slsdotpath }} - qvm-firewall -- {{ slsdotpath }} add accept signal.org - qvm-firewall -- {{ slsdotpath }} add accept storage.signal.org - qvm-firewall -- {{ slsdotpath }} add accept chat.signal.org - qvm-firewall -- {{ slsdotpath }} add accept cdn.signal.org - qvm-firewall -- {{ slsdotpath }} add accept cdn2.signal.org - qvm-firewall -- {{ slsdotpath }} add accept sfu.voip.signal.org - qvm-firewall -- {{ slsdotpath }} add accept turn.voip.signal.org - qvm-firewall -- {{ slsdotpath }} add accept turn2.voip.signal.org - qvm-firewall -- {{ slsdotpath }} add accept turn3.voip.signal.org diff --git a/salt/signal/firewall.top b/salt/signal/firewall.top deleted file mode 100644 index 12317a57..00000000 --- a/salt/signal/firewall.top +++ /dev/null @@ -1,10 +0,0 @@ -{# -SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -base: - 'dom0': - - match: nodegroup - - signal.firewall diff --git a/salt/signal/init.top b/salt/signal/init.top index 2126c4ca..4116273c 100644 --- a/salt/signal/init.top +++ b/salt/signal/init.top @@ -8,7 +8,6 @@ base: 'dom0': - match: nodegroup - signal.create - - signal.firewall 'tpl-signal': - signal.install 'signal':