-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-08-21 04:02, nishiwak...@gmail.com wrote:
> Any help to configure sys-firewall would be also really appreciated. I got
>  this annoying pop-up when I click on "Firewall rules" tab under the 
> sys-firewall proxyVM settings :
> 
> "The 'sys-firewall' AppVM is not network connected to a FirewallVM!
> 
> You may edit the 'sys-firewall' VM firewall rules, but these will not take
>  any effect until you connect it to a working Firewall VM."
> 
> Only subject related to this problem I found is this message from Unman on
>  Qubes-users group :
> 
> "When you configure the firewall rules for a vm those rules are applied ON
>  THE FIREWALL to which the vm is attached. So the error message you get is
>  entirely accurate - your firewall is not attached to a firewall and so the
>  rules cannot be applied. Of course you COULD configure a firewall between 
> the fw and the netvm but the same consideration would apply to THAT fw. 
> There's no reason why you cant configure the fw iptables by hand if you 
> want to: you can use /rw/config/qubes-firewall-user-script to have these 
> rules applied automatically."
> 
> Ok so here's what I understand from this message : this proxyVM Firewall is
> probably working but rules don't apply because it is attached to a NetVM,
> which don't have any firewall policies by default.
> 
> https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says :
>  "Every VM in Qubes is connected to the network via a FirewallVM, which is
>  used to enforce network-level policies. By default there is one default 
> Firewall VM, but the user is free to create more, if needed."
> 
> And then you got explanations on how to edit rules in a specific VM for a 
> given domain.
> 
> So I understand you have to edit rules on a AppVM to open up ports there, 
> but I mean not everyone running Qubes OS is highly graduated in IT and 
> network routing.
> 
> I find quite disappointing that the official documentation don't mention 
> more clearly how to set up the default sys-firewall proxyVM, like if you 
> are supposed to check either "Deny network access except" or "Allow network
> access except" button or if that doesn't matter, if those policies won't
> apply anyway because of this pop-up...
> 

Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even
there.

Suppose you have an AppVM in which you want to enforce specific firewall
rules. You should go into the VM settings for *that VM*, then the "Firewall
rules" tab, then configure your firewall rules there. These firewall rules are
then *enforced by* sys-firewall under the hood. Enforcing these rules for
other VMs is sys-firewall's raison d'ĂȘtre.

By default, there is only one VM with this job: sys-firewall. Therefore, there
is no other VM that can perform this job *for* sys-firewall. But that's not a
problem, because there's usually no reason to specify firewall rules for
sys-firewall itself anyway. (Besides, you're free to create as many ProxyVMs
as you like an chain them together.)

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXugDBAAoJENtN07w5UDAwLuQQAIlyBs1aeKEiQH2+W0WrNH5l
VTCgtYo+rY3doNjScY95iCZB1e/s2v/RtbDKyXwot6lGFjUoRJTRdK2O78/j/6GS
1ggqrrtoX2KHB77RN3tJm65d2PqgpQM3G9opU8mUp89Ek0MHhjLl3vLMOUeekIXG
RGhRwOruLZ3D4WkZDpRpqH3qnnrARDmAM32KOeFUKeDGwl1HPM2H78zlyGHWNEYv
SammV42RbOFe3feWUDohCU2V0uMyZcn2jz3HSNfzM1/B/JQ2dvsm3xv4KDCtkZdC
Prugken58eEK2T5s38QnN7JBhgHmvS3jB+X4IoN5eM3D8DabbTU78cGK8Z8He4pq
kzHae//wxS9vcQ3aWjSbUc/Jz+P32jNHYbBtqRcNxT2p8AWcysaEMEsSvDPT4X6t
89II0Q0aHGX2TGQswKgWHtXuX00Qp7XL2T5mL3EaEXvM/BWMPMnxAEGocVLRbcl5
TO3ewl/LVJEiGiL6hwj66FuNeIVlYkxHJ2ZQ8VM6NYu6TN96fLrbYxyBE3yNmcJj
DwVi2rwsTYtnFt4znaBOnNmAIwBNRa9z66Y04KXGcyaq+6i9D66J2Yh3NkuWwKfj
/8dBEST20BJB8+8KYX7F1cZt62hVQANYgaGqhFn+x3tMme5FClmK7obvBlMe6gJu
5SGrV5qlobdhla78qT1T
=iqUV
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/23c121ec-f227-f51b-991d-1eb38750bb11%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to