On Mon, Mar 06, 2017 at 08:26:30AM +0100, evo wrote: > > > On 03/06/2017 12:41 AM, Unman wrote: > > On Sun, Mar 05, 2017 at 10:26:22PM +0100, evo wrote: > >> > >> > >> On 03/05/2017 10:22 PM, Unman wrote: > >>> On Sun, Mar 05, 2017 at 10:12:15PM +0100, evo wrote: > >>>> oh, thanks... i thought i read the post about firewall, but didnt see > >>>> the limit of 3kb. > >>>> > >>>> so the only way to get over 3kb is to adit own rules in /rw/config? > >>>> And for building the own script there, i should really understand the > >>>> whole iptables thing.. puh :) > >>>> > >>>> sorry for the newbee-question, but what the hell is /rw?? > >>>> > >>>> > >>>> > >>>> On 03/05/2017 10:03 PM, Unman wrote: > >>>>> On Sun, Mar 05, 2017 at 09:35:00PM +0100, evo wrote: > >>>>>> Hello! > >>>>>> > >>>>>> i get an error pop-up: > >>>>>> "ERROR: Firewall tab: (0,'Error') > >>>>>> > >>>>>> by adding new address. > >>>>>> > >>>>>> i have already added few addresses (about 20 or 30) > >>>>>> is there any limit or something like that?? > >>>>>> > >>>>>> thanks! > >>>>> > >>>>> Yes: > >>>>> It's documented here: > >>>>> www.qubes-os.org/doc/firewall > >>>>> > >>>>> There's also a proposal for a work around > >>>>> > >>> > >>> Can you try not to top-post? > >>> > >>> When you are running a TemplateBasedVM, most of the file system comes > >>> from the template. This means that many changes that you make will > >>> disappear on reboot. (E.g changing config in /etc , installing programs > >>> etc.) > >>> Some parts of the file system, (/home /and /usr/local) DO persist in the > >>> qube. They are actually stored in /rw: have a look. > >>> There is also a mechanism (bind-dirs) for making other files persistent. > >>> You can read about it in the docs. > >>> (You can, of course, also store files in /rw/config and use the > >>> rc.local mechanism to change files in the root file system on boot - e.g > >>> adding entries to hosts files, custom iptables rules etc etc.) > >>> > >>> unman > >>> > >> > >> ok, so the /rw is on the VM and not in the dom0, understand. > >> > >> do i need a special name for the iptable-rules in /rw/config? > >> > >> maby just a example for permiting 8.8.8.8:80 ... i know its the iptables > >> thing :) > > > > > > For proxyVMs (like sys-firewall) there is a built-in mechanism you can > > exploit. > > Say you want to allow traffic from 10.137.100.1 to 8.8.8.8:80, but you > > have already hit that 3k limit. > > Edit the file /rw/config/qubes-firewall-user-script, and add the line: > > iptables -I FORWARD -s 10.137.100.1 -d 8.8.8.8 -p tcp --dport 80 -j ACCEPT > > > > chmod +x /rw/config/qubes-firewall-user-script > > > > This script is called whenever a new qube is attached to the proxyVM > > and the relevant iptables rules are automatically rebuilt. > > > > You can also build your own custom rulesets and store them in an > > arbitrarily named file called from /rw/config/qubes-firewall-user-script, > > and you can, of course, do anything you like from this file, which will > > be triggered when a new qube is attached: that is, you arent limited to > > firewall manipulation. > > > > unman > > > > > > thanks! > so i can just write the line for one rule, without writing the whole > script for iptables.
Yes - the rest of the rules will be taken from the entries you have configured in the manager for that qube. > > so i can call it however i want or use the qubes-firewall-user-script > file... is it principally the same? or does qubes-firewall-user-script > replace the whole rules i already have? qubes-firewall-user-script is just a script that is called after the usual Qubes firewall service process - that reads the rules set per attached qube and instantiates them on the ProxyVM. A significant difference is that a rule you set in qubes-firewall-user-script will be set every time that script is called, whereas one set in manager (or in qvm-firewall) will only be applied when the relevant qube is attached. It doesn't replace the other rules unless you explicitly ask it to do so - you could do this if you wanted. Since it's just a script you can do anything you like in there, as I've said. This would include setting rules depending on what qubes were attached (e.g if qube A and qube B are BOTH attached to ProxyVM open up inbound access to qube A). > > the problem i have now is... i forgot to delete the "overloaded" rule > from the VM and now i can not start it. is there any other way to start > it, or to delete this overloaded 3k-file? is this file on sys-firewall > or on the VM itself? Just delete the rules from the manager interface or look at qvm-firewall (in dom0). The help there is pretty good. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170306140550.GB21521%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
