Hash: SHA512

On 2016-08-21 04:02, nishiwak...@gmail.com wrote:
> Any help to configure sys-firewall would be also really appreciated. I got
>  this annoying pop-up when I click on "Firewall rules" tab under the 
> sys-firewall proxyVM settings :
> "The 'sys-firewall' AppVM is not network connected to a FirewallVM!
> You may edit the 'sys-firewall' VM firewall rules, but these will not take
>  any effect until you connect it to a working Firewall VM."
> Only subject related to this problem I found is this message from Unman on
>  Qubes-users group :
> "When you configure the firewall rules for a vm those rules are applied ON
>  THE FIREWALL to which the vm is attached. So the error message you get is
>  entirely accurate - your firewall is not attached to a firewall and so the
>  rules cannot be applied. Of course you COULD configure a firewall between 
> the fw and the netvm but the same consideration would apply to THAT fw. 
> There's no reason why you cant configure the fw iptables by hand if you 
> want to: you can use /rw/config/qubes-firewall-user-script to have these 
> rules applied automatically."
> Ok so here's what I understand from this message : this proxyVM Firewall is
> probably working but rules don't apply because it is attached to a NetVM,
> which don't have any firewall policies by default.
> https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says :
>  "Every VM in Qubes is connected to the network via a FirewallVM, which is
>  used to enforce network-level policies. By default there is one default 
> Firewall VM, but the user is free to create more, if needed."
> And then you got explanations on how to edit rules in a specific VM for a 
> given domain.
> So I understand you have to edit rules on a AppVM to open up ports there, 
> but I mean not everyone running Qubes OS is highly graduated in IT and 
> network routing.
> I find quite disappointing that the official documentation don't mention 
> more clearly how to set up the default sys-firewall proxyVM, like if you 
> are supposed to check either "Deny network access except" or "Allow network
> access except" button or if that doesn't matter, if those policies won't
> apply anyway because of this pop-up...

Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even

Suppose you have an AppVM in which you want to enforce specific firewall
rules. You should go into the VM settings for *that VM*, then the "Firewall
rules" tab, then configure your firewall rules there. These firewall rules are
then *enforced by* sys-firewall under the hood. Enforcing these rules for
other VMs is sys-firewall's raison d'ĂȘtre.

By default, there is only one VM with this job: sys-firewall. Therefore, there
is no other VM that can perform this job *for* sys-firewall. But that's not a
problem, because there's usually no reason to specify firewall rules for
sys-firewall itself anyway. (Besides, you're free to create as many ProxyVMs
as you like an chain them together.)

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to