On 03/06/2017 12:41 AM, Unman wrote: > On Sun, Mar 05, 2017 at 10:26:22PM +0100, evo wrote: >> >> >> On 03/05/2017 10:22 PM, Unman wrote: >>> On Sun, Mar 05, 2017 at 10:12:15PM +0100, evo wrote: >>>> oh, thanks... i thought i read the post about firewall, but didnt see >>>> the limit of 3kb. >>>> >>>> so the only way to get over 3kb is to adit own rules in /rw/config? >>>> And for building the own script there, i should really understand the >>>> whole iptables thing.. puh :) >>>> >>>> sorry for the newbee-question, but what the hell is /rw?? >>>> >>>> >>>> >>>> On 03/05/2017 10:03 PM, Unman wrote: >>>>> On Sun, Mar 05, 2017 at 09:35:00PM +0100, evo wrote: >>>>>> Hello! >>>>>> >>>>>> i get an error pop-up: >>>>>> "ERROR: Firewall tab: (0,'Error') >>>>>> >>>>>> by adding new address. >>>>>> >>>>>> i have already added few addresses (about 20 or 30) >>>>>> is there any limit or something like that?? >>>>>> >>>>>> thanks! >>>>> >>>>> Yes: >>>>> It's documented here: >>>>> www.qubes-os.org/doc/firewall >>>>> >>>>> There's also a proposal for a work around >>>>> >>> >>> Can you try not to top-post? >>> >>> When you are running a TemplateBasedVM, most of the file system comes >>> from the template. This meams that many changes that you make will >>> disappear on reboot. (E.g changing config in /etc , installing programs >>> etc.) >>> Some parts of the file system, (/home /and /usr/local) DO persist in the >>> qube. They are actually stored in /rw: have a look. >>> There is also a mechanism (bind-dirs) for making other files persistent. >>> You can read about it in the docs. >>> (You can, of course, also store files in /rw/config and use the >>> rc.local mechanism to change files in the root file system on boot - e.g >>> adding entries to hosts files, custom iptables rules etc etc.) >>> >>> unman >>> >> >> ok, so the /rw is on the VM and not in the dom0, understand. >> >> do i need a special name for the iptable-rules in /rw/config? >> >> maby just a example for permiting 8.8.8.8:80 ... i know its the iptables >> thing :) > > > For proxyVMs (like sys-firewall) there is a built-in mechanism you can > exploit. > Say you want to allow traffic from 10.137.100.1 to 8.8.8.8:80, but you > have already hit that 3k limit. > Edit the file /rw/config/qubes-firewall-user-script, and add the line: > iptables -I FORWARD -s 10.137.100.1 -d 8.8.8.8 -p tcp --dport 80 -j ACCEPT > > chmod +x /rw/config/qubes-firewall-user-script > > This script is called whenever a new qube is attached to the proxyVM > and the relevant iptables rules are automatically rebuilt. > > You can also build your own custom rulesets and store them in an > arbitraily named file called from /rw/config/qubes-firewall-user-script, > and you can, of course, do anything you like from this file, which will > be triggered when a new qube is attached: that is, you arent limited to > firewall manipulation. > > unman > >
thanks! so i can just write the line for one rule, without writing the whole script for iptables. so i can call it however i want or use the qubes-firewall-user-script file... is it principally the same? or does qubes-firewall-user-script replace the whole rules i already have? the problem i have now is... i forgot to delete the "overloaded" rule from the VM and now i can not start it. is there any other way to start it, or to delete this overloaded 3k-file? is this file on sys-firewall or on the VM itself? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/07cbeb51-95f1-5e17-7fc0-17eaaa01f7a4%40aliaks.de. For more options, visit https://groups.google.com/d/optout.
