-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2016-08-21 04:02, nishiwak...@gmail.com wrote: > Any help to configure sys-firewall would be also really appreciated. I got > this annoying pop-up when I click on "Firewall rules" tab under the > sys-firewall proxyVM settings : > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > You may edit the 'sys-firewall' VM firewall rules, but these will not take > any effect until you connect it to a working Firewall VM." > > Only subject related to this problem I found is this message from Unman on > Qubes-users group : > > "When you configure the firewall rules for a vm those rules are applied ON > THE FIREWALL to which the vm is attached. So the error message you get is > entirely accurate - your firewall is not attached to a firewall and so the > rules cannot be applied. Of course you COULD configure a firewall between > the fw and the netvm but the same consideration would apply to THAT fw. > There's no reason why you cant configure the fw iptables by hand if you > want to: you can use /rw/config/qubes-firewall-user-script to have these > rules applied automatically." > > Ok so here's what I understand from this message : this proxyVM Firewall is > probably working but rules don't apply because it is attached to a NetVM, > which don't have any firewall policies by default. > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says : > "Every VM in Qubes is connected to the network via a FirewallVM, which is > used to enforce network-level policies. By default there is one default > Firewall VM, but the user is free to create more, if needed." > > And then you got explanations on how to edit rules in a specific VM for a > given domain. > > So I understand you have to edit rules on a AppVM to open up ports there, > but I mean not everyone running Qubes OS is highly graduated in IT and > network routing. > > I find quite disappointing that the official documentation don't mention > more clearly how to set up the default sys-firewall proxyVM, like if you > are supposed to check either "Deny network access except" or "Allow network > access except" button or if that doesn't matter, if those policies won't > apply anyway because of this pop-up... >
Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even there. Suppose you have an AppVM in which you want to enforce specific firewall rules. You should go into the VM settings for *that VM*, then the "Firewall rules" tab, then configure your firewall rules there. These firewall rules are then *enforced by* sys-firewall under the hood. Enforcing these rules for other VMs is sys-firewall's raison d'être. By default, there is only one VM with this job: sys-firewall. Therefore, there is no other VM that can perform this job *for* sys-firewall. But that's not a problem, because there's usually no reason to specify firewall rules for sys-firewall itself anyway. (Besides, you're free to create as many ProxyVMs as you like an chain them together.) - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXugDBAAoJENtN07w5UDAwLuQQAIlyBs1aeKEiQH2+W0WrNH5l VTCgtYo+rY3doNjScY95iCZB1e/s2v/RtbDKyXwot6lGFjUoRJTRdK2O78/j/6GS 1ggqrrtoX2KHB77RN3tJm65d2PqgpQM3G9opU8mUp89Ek0MHhjLl3vLMOUeekIXG RGhRwOruLZ3D4WkZDpRpqH3qnnrARDmAM32KOeFUKeDGwl1HPM2H78zlyGHWNEYv SammV42RbOFe3feWUDohCU2V0uMyZcn2jz3HSNfzM1/B/JQ2dvsm3xv4KDCtkZdC Prugken58eEK2T5s38QnN7JBhgHmvS3jB+X4IoN5eM3D8DabbTU78cGK8Z8He4pq kzHae//wxS9vcQ3aWjSbUc/Jz+P32jNHYbBtqRcNxT2p8AWcysaEMEsSvDPT4X6t 89II0Q0aHGX2TGQswKgWHtXuX00Qp7XL2T5mL3EaEXvM/BWMPMnxAEGocVLRbcl5 TO3ewl/LVJEiGiL6hwj66FuNeIVlYkxHJ2ZQ8VM6NYu6TN96fLrbYxyBE3yNmcJj DwVi2rwsTYtnFt4znaBOnNmAIwBNRa9z66Y04KXGcyaq+6i9D66J2Yh3NkuWwKfj /8dBEST20BJB8+8KYX7F1cZt62hVQANYgaGqhFn+x3tMme5FClmK7obvBlMe6gJu 5SGrV5qlobdhla78qT1T =iqUV -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to firstname.lastname@example.org. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/23c121ec-f227-f51b-991d-1eb38750bb11%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.