[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

Everything works, just one question about networking

Hi! Using Kicksecure for KVM, version 16.0.5.3. Thank you btw, this is insanely awesome.

I noticed that Kicksecure is using dhcp to dymanically assign an IP address to its eth0 interface. This requires that ports 67,68,53 are open on the virtual network device, which I’m trying to avoid.

I would instead like a static IP address to be assigned. In my case something in the 10.0.2.0/24 range, because my virtual network IP is 10.0.2.2

Would assigning an IP in /etc/network/interfaces and adding a route to the gateway break anything?

Here is my network xml for Kicksecure.

<network>
  <name>kick_net</name>
  <forward dev='eth2' mode='nat'>
    <interface dev='eth2'/>
  </forward>
  <bridge name='virbr1' stp='on' delay='0'/>
  <ip address='10.0.2.2' netmask='255.255.255.0'>
      <dhcp>
         <range start='10.0.2.5' end='10.0.2.254''>
     </dhcp>
  </ip>
</network>

Thank you!

For Kicksecure, any network configuration as per user customization should be fine. Disabling DHCP and using static networking, yes, why not, as long as it works…

//cc @HulaHoop Kicksecure KVM maintainer

FYI there’s no security problem because the KS VM is behind an NAT on its own dedicated IP range, but it is indeed possible to configure it as you like.

No, assuming that you don’t have another VM on the same LAN with an identical IP. You can set a static IP either via the VM XML or by editing the network config files inside it.

No, assuming that you don’t have another VM on the same LAN with an identical IP. You can set a static IP either via the VM XML or by editing the network config files inside it.

Hello HulaHoop and Patrick, thanks for the reply!

I couldn’t find the network config files inside, unfortunately.

There is no /etc/network/interfaces or /etc/network/interfaces.d/ 30_kicksecure. I tried creating it, or even mess with kicksecure-network-conf, but not luck.

I found my own “ghetto” solution so far.

1.) editing /etc/hosts and adding 127.0.0.1 localhost.localdomain
because without dhcp the hostname isn’t localhost, but localhost.localdomain
2.) ifconfig eth0 10.0.2.150 netmask 255.255.255.0
3.) ip route add default via 10.0.2.2

This gets everything working, but it’s not persistent, so I put a script executing it in autostart.

If you could point me to the config files or possibly a better solution that would be awesome. Thanks again man! :grinning:

FYI there’s no security problem because the KS VM is behind an NAT on its own dedicated IP range, but it is indeed possible to configure it as you like.

I see, you’re saying that there wouldn’t be any risk with these ports open because it’s invisible to the guest anyway?

I went through a bunch of KVM documentation and forums. Some people are suggesting that the virtual network device shouldn’t have open ports because it would make it easier for an attacker to “break out of the vm”. I’m not gonna pretend to understand that, but it’s why I opted for a static IP.

Package https://github.com/Kicksecure/kicksecure-network-conf currently does at time of writing very little. See package description.

At time of writing, Kicksecure does not modify file /etc/network/interfaces or place files in /etc/network/interfaces.d/ folder.

Networking related packages, see:

apt-cache show kicksecure-network-conf

Static network configuration can only be set up as per https://www.kicksecure.com/wiki/Free_Support_Principle

I don’t think Kicksecure for KVM opens any ports that are reachable from the host? Kicksecure should come without any open ports by default anyhow. And even if a server (such as nginx) gets installed inside the VM that opens a server port is is actually non-trivial to make such ports accessible on the host, something not happening by accident?

Static network configuration can only be set up as per https://www.kicksecure.com/wiki/Free_Support_Principle

My apologies for occupying resources, I’m definitely gonna support this project.

I read the documentation, and two methods are outlined to assign a static IP via XML.

1.) Adding an ip section to the VM xml - here the network portion of the Kicksecure.xml

    <interface type='network'>
      <mac address='52:54:00:c6:f6:27'/>
      <source network='super' portid='e3de0cc2-97f4-4e4a-a16b-24bd5ec6de21' bridge='virbr1'/>
      <target dev='vnet2'/>
      <model type='virtio'/>
      <driver name='qemu'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
      <ip address='10.0.2.150' netmask='255.255.254.0' gateway='10.0.2.2'>
      </ip>
    </interface>

2.) Adding the mac address of the Kicksecure network adapter and static ip to the virtual network xml

<network>
  <name>kick_net</name>
  <forward dev='eth2' mode='nat'>
    <interface dev='eth2'/>
  </forward>
  <bridge name='virbr1' stp='on' delay='0'/>
  <ip address='10.0.2.2' netmask='255.255.255.0'>
      <dhcp>
         <range start='10.0.2.5' end='10.0.2.254''>
         <host mac='52:54:00:c6:f6:27' name=Kicksecure ip='10.0.2.150'>
     </dhcp>
  </ip>
</network>

I restarted the virtual network devices and libvirtd daemon as instructed, but both solutions failed.

Am I missing anything here?

I don’t think Kicksecure for KVM opens any ports that are reachable from the host? Kicksecure should come without any open ports by default anyhow.

My apologies, I should have clarified.

KVM Kicksecure does not have any open ports, both INPUT and FORWARD are dropping by default.

What I was referring to is the virtual network device virbr1, which needs to have ports 68,67,53 open in order for DHCP to be able to assign an ip address to Kicksecure’s eth0 interface. Libvirt creates these iptables automatically.

-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT                                                                                                                                        
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT                                                                                                                                        
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT                                                                                                                                        
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT                                                                                                                                        
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT                                                                                                                                        
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT                                                                                                                                        
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT                                                                                                                                        
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT

HulaHoop pointed out that the VM sits behind the NAT, thus open ports on virbr1 would not pose a security risk.

I am deeply researching this at the moment, because I’ve found conflicting opinions on the subject.

Thanks again to both of you for the time and information.

OK guys, I went on a deep dive and figured it out. Here a small guide for anyone else who might be interested.

In order to achieve a static IP in Kicksecure, 3 conditions must be met.
Note that you can’t remove or disable DHCP, the IP is only “static” in effect, meaning you can control which address is assigned by DHCP, but you must still leave it intact. I’ve tried removing it, but it’s not possible in Kicksecure.

1.)
Add a host option in the dhcp section of your network.xml
It consists of mac (the mac address of Kicksecure’s virtual network card), name and ip.
This ip will be the one that is assigned by DHCP at every boot.

<network>
  <name>kick_net</name>
  <forward dev='eth2' mode='nat'>
    <interface dev='eth2'/>
  </forward>
  <bridge name='virbr1' stp='on' delay='0'/>
  <ip address='10.0.2.2' netmask='255.255.255.0'>
      <dhcp>
         <range start='10.0.2.5' end='10.0.2.254''>
         <host mac='52:54:00:c6:f6:27' name=Kicksecure ip='10.0.2.150'>
     </dhcp>
  </ip>
</network>

2.) Inside Kicksecure you must modify the hostname, because for some reason it is incorrect.
The proper hostname is localhost.localdomain, not localhost, which is the original entry. This will also solve the “unable to resolve host” error. You can check your hostname by running hostname.
sudo mousepad /etc/hosts
127.0.0.1 localhost.localdomain

3.) When using a static ip via host config, as shown above, you must stop DHCP and NetworkManager from interfering with /etc/resolv.conf and break all symllinks.
Execute the following:

echo 'make_resolv_conf() { :; }' > /etc/dhcp/dhclient-enter-hooks.d/resolv_free
chmod 755 /etc/dhcp/dhclient-enter-hooks.d/resolv_free
rm -rf /etc/resolv.conf
touch /etc/resolv.conf 

Then you can enter your nameservers in resolv.conf.

Finally edit /etc/NetworkManager/NetworkManager.conf
add the following under the [main]

dns=default

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]