Hi,
I am looking for clarifications pertaining to setting firewall rules via Qubes VM manager GUI. A validating caching name resolver is running in one of the appVMs (called "sys-dns"): _ sys-net VM <==> sys-firewall VM _ | _ |<==> sys-dns (appVM) _ |<==> AppVM-1 _ |<==> AppVM-2 _ . . . _ |<==> AppVM-N Each AppVM has "Allow DNS queries" checkbox accessible via "Qubes VM manager : VM : Edit VM Firewall rules" menu. When I put a check mark into this checkbox, the system updates the iptables in the sys-firewall VM, so that packets with destination port 53 are forwarded to sys-firewall eth0 interface (IP=10.137.1.8). So far, so good. It appears, that the more optimal way is to allow sys-dns name resolver to respond to such DNS queries. Questions --------- 1) How to tune Qubes OS so that putting a check mark into the said checkbox causes the packets with destination port 53 to be forwarded to the sys-dns VM (instead of the sys-firewall eth0 interface)? 2) Do the following checkboxes _ a) "Allow network access except ..." _ b) "Allow ICMP traffic" _ c) "Allow DNS queries" overlap? Meaning that if a) is the only enabled one out of 3, then both "ICMP traffic" and "DNS queries" are allowed. 3) What are the typical use cases for disabling "ICMP traffic"? When it is safe to disable "ICMP traffic" for a specific AppVM? Thank you, - David -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/2031198658.7261751.1490814763594%40mail.yahoo.com. For more options, visit https://groups.google.com/d/optout.
