Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> On 2016-08-21 04:02, nishiwak...@gmail.com wrote:
> > Any help to configure sys-firewall would be also really appreciated. I got
> >  this annoying pop-up when I click on "Firewall rules" tab under the 
> > sys-firewall proxyVM settings :
> > 
> > "The 'sys-firewall' AppVM is not network connected to a FirewallVM!
> > 
> > You may edit the 'sys-firewall' VM firewall rules, but these will not take
> >  any effect until you connect it to a working Firewall VM."
> > 
> > Only subject related to this problem I found is this message from Unman on
> >  Qubes-users group :
> > 
> > "When you configure the firewall rules for a vm those rules are applied ON
> >  THE FIREWALL to which the vm is attached. So the error message you get is
> >  entirely accurate - your firewall is not attached to a firewall and so the
> >  rules cannot be applied. Of course you COULD configure a firewall between 
> > the fw and the netvm but the same consideration would apply to THAT fw. 
> > There's no reason why you cant configure the fw iptables by hand if you 
> > want to: you can use /rw/config/qubes-firewall-user-script to have these 
> > rules applied automatically."
> > 
> > Ok so here's what I understand from this message : this proxyVM Firewall is
> > probably working but rules don't apply because it is attached to a NetVM,
> > which don't have any firewall policies by default.
> > 
> > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says :
> >  "Every VM in Qubes is connected to the network via a FirewallVM, which is
> >  used to enforce network-level policies. By default there is one default 
> > Firewall VM, but the user is free to create more, if needed."
> > 
> > And then you got explanations on how to edit rules in a specific VM for a 
> > given domain.
> > 
> > So I understand you have to edit rules on a AppVM to open up ports there, 
> > but I mean not everyone running Qubes OS is highly graduated in IT and 
> > network routing.
> > 
> > I find quite disappointing that the official documentation don't mention 
> > more clearly how to set up the default sys-firewall proxyVM, like if you 
> > are supposed to check either "Deny network access except" or "Allow network
> > access except" button or if that doesn't matter, if those policies won't
> > apply anyway because of this pop-up...
> > 
> 
> Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even
> there.
> 
> Suppose you have an AppVM in which you want to enforce specific firewall
> rules. You should go into the VM settings for *that VM*, then the "Firewall
> rules" tab, then configure your firewall rules there. These firewall rules are
> then *enforced by* sys-firewall under the hood. Enforcing these rules for
> other VMs is sys-firewall's raison d'être.
> 
> By default, there is only one VM with this job: sys-firewall. Therefore, there
> is no other VM that can perform this job *for* sys-firewall. But that's not a
> problem, because there's usually no reason to specify firewall rules for
> sys-firewall itself anyway. (Besides, you're free to create as many ProxyVMs
> as you like an chain them together.)
> 
> - -- 
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -----BEGIN PGP SIGNATURE-----
> 
> iQIcBAEBCgAGBQJXugDBAAoJENtN07w5UDAwLuQQAIlyBs1aeKEiQH2+W0WrNH5l
> VTCgtYo+rY3doNjScY95iCZB1e/s2v/RtbDKyXwot6lGFjUoRJTRdK2O78/j/6GS
> 1ggqrrtoX2KHB77RN3tJm65d2PqgpQM3G9opU8mUp89Ek0MHhjLl3vLMOUeekIXG
> RGhRwOruLZ3D4WkZDpRpqH3qnnrARDmAM32KOeFUKeDGwl1HPM2H78zlyGHWNEYv
> SammV42RbOFe3feWUDohCU2V0uMyZcn2jz3HSNfzM1/B/JQ2dvsm3xv4KDCtkZdC
> Prugken58eEK2T5s38QnN7JBhgHmvS3jB+X4IoN5eM3D8DabbTU78cGK8Z8He4pq
> kzHae//wxS9vcQ3aWjSbUc/Jz+P32jNHYbBtqRcNxT2p8AWcysaEMEsSvDPT4X6t
> 89II0Q0aHGX2TGQswKgWHtXuX00Qp7XL2T5mL3EaEXvM/BWMPMnxAEGocVLRbcl5
> TO3ewl/LVJEiGiL6hwj66FuNeIVlYkxHJ2ZQ8VM6NYu6TN96fLrbYxyBE3yNmcJj
> DwVi2rwsTYtnFt4znaBOnNmAIwBNRa9z66Y04KXGcyaq+6i9D66J2Yh3NkuWwKfj
> /8dBEST20BJB8+8KYX7F1cZt62hVQANYgaGqhFn+x3tMme5FClmK7obvBlMe6gJu
> 5SGrV5qlobdhla78qT1T
> =iqUV
> -----END PGP SIGNATURE-----

Ok, thank you very much for your help. Unfortunately I still have great 
difficulties to open up port 443 or 80 on an AppVM.

I have read this comment on another thread from Alex Dubois saying :

"A diagram in the wiki would help people understand.

For now:
A packet comming from the outside has a sourceIP of the workstation on the LAN 
that issued it or the router that routed the packet into your LAN and a 
destinationIP of your netVM externalIP (probably 192.168.0.x).
The NetVM iptables rules are going to transform it to a packet with a 
destinationIP of your firewallVM (10.137.1.5).
The firewallVM iptables rule are going to transform it to a packet with a 
desktinationIP of your AppVM (10.137.2.16)."

I completely agree with him, a diagram would really help.
I don't get why documentation don't address the routing basics stuff that isn't 
really basic for newbies, for random people. I like a lot Qubes, this is an 
awesome OS, but far too complicated for mister everyone. I am at the point 
right now where frustration becomes overwhelming.
I don't think I am not curious, trying to improve or understand better the way 
this OS works... I'm just going mad tonight, lol.

So let me try to sum up this comment in a visual way to understand better how 
routing works on Qubes.

Outside IP packet (source : AppVM or router, like on some http request) => 
sys-net VM (destination) => firewall VM (new destination routed from sys-net VM 
with iptables) => AppVM (new destination routed from sys-net VM with iptables).

So let's say if I deny all traffic in an AppVM and want to make exclusions to 
open only standard http(80) or https(443) protocols, am I supposed to enter new 
rules in dom0 for the AppVM's Firewall and also configure iptables as well, or 
only AppVM's Firewall exceptions are going to be enough please ?

https://www.qubes-os.org/doc/dom0-tools/qvm-firewall/
I tried to connect Firefox on an AppVM with this rule, launching an https site, 
but it failed :(
"qvm-firewall AppVMname -a localadressofsysnet(192.168.x.x) any 443 -P allow"

I also added a rule with vifX.X interface adress (I guess it is the bridge to 
redirect traffic to the LAN network, but this is just assumption from me, I 
didn't read about it), but still no success. Well, I might need a rope instead ~

Anyway I probably have to deal again with this documentation 
https://www.qubes-os.org/doc/qubes-firewall/ and copy the automatic scripts 
executing on one of the folders that don't reset data automatically at reboot 
(/rw/config/), but I already did that to make 2 VM communicate each others 
(client/server) and anyway this doesn't matter if I can't communicate with the 
outside.

Indeed, I don't understand 1 thing on the "Port forwarding to a VM from the 
outside world" part of the documentation : on the iptables scripts, do you have 
to replace "MY-HTTPS" with the name of your service please ? Like for hosting a 
server, with "apache2" service ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/89790add-4ef2-444a-842c-47f289c6287c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to