On Thursday, January 19, 2017 at 12:07:17 AM UTC, Reg Tiangha wrote: > On 2017-01-18 7:30 AM, Антон Чехов wrote: > > Hi! > > > > Is anyone using the mirage firewall in connection with a proxyVM? How do > > you configure it properly? Does it handle qubes-firewall-users-scripts? > > > > I've run a Mirage-based firewall both in front of and behind a > firewallVM and they chain together fine. Mirage Firewall in its current > iteration does *not* respect modifications to firewall rules via Qubes > and has to be inputted manually (there are some instructions on how to > do that on the software author's blog). It isn't to say that Mirage > Firewall couldn't do it one day, but I believe the author of the code is > leaving it up as an exercise for the reader. Maybe he'll get around to > implementing it, or maybe not, but from a purely technical standpoint, > there's no reason why it couldn't be modified to work with Qubes > firewall user scripts, it's just that it hasn't been implemented yet. > > Note that even if you're running the latest code off of GitHub, > currently, Mirage Firewall still doesn't work correctly with DispVMs (or > at least, I haven't been able to get it to work; the DispVM connects to > it, but there's no traffic), even though there were some minimal fixes > applied to try to handle how it handles IP addresses from a different > pool. Works fine with AppVMs, though, as well as TemplateVMs, at least > in my experience.
It works for me if I take the interface down and bring it up again in the dispVM, e.g. [user@fedora-23-dvm ~]$ sudo ifconfig eth0 down && sudo ifconfig eth0 up [user@fedora-23-dvm ~]$ sudo route add $(qubesdb-read /qubes-gateway) dev eth0 [user@fedora-23-dvm ~]$ sudo route add default gw $(qubesdb-read /qubes-gateway) [user@fedora-23-dvm ~]$ curl http://www.google.com <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.co.uk/?gfe_rd=cr&ei=vKSMWOn7F6vP8Aeg4KeoAQ">here</A>. </BODY></HTML> The odd thing is that, as far as I can see, reinitialising the interface is something that only affects Linux (no interaction with the firewall). (and I'm not sure why my DispVM is Fedora 23 when my default template is Fedora 24, but anyway...) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b4e74710-c3c2-4e36-a304-577974e736d6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.