On Tuesday, March 28, 2017 at 9:20:03 PM UTC-4, Unman wrote: > On Tue, Mar 28, 2017 at 05:24:00PM -0700, Nemo wrote: > > > > > > To help me understand how qubes-updates-proxy is working, is this more or > > > less accurate?: > > > > > > The proxy gives the TemplateVM's network connection permission to break > > > through it's own firewall's "Deny All" setting, for the purpose of > > > updates only. > > > > > > The proxy should be applied on a FirewallVM before hitting a VPN/NetVM. > > > The FirewallVM will block all traffic, but proxy the repo request, which > > > it receives via tinyproxy at 10.137.255.254:8082. The request will pass > > > through the FirewallVM and arrive in the VPN/NetVM as a normal repo > > > request. > > > > > > Is that right? > > > > > > ------------------------------------------ > > > > > > To (maybe?) confuse things further: > > > > > > I just realized that the TemplateVMs will not update via Firewall-VPN > > > even if they are set to allow all traffic. Although they will still > > > update via the Net < Firewall < TemplateVM chain either directly or > > > through the proxy without issue. > > > > Hmmm, actually I missed running `iptables -L -nv` > > > > [user@sys-firewall-vpn ~]$ sudo iptables -L -nv > > Chain INPUT (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > > destination > > 0 0 DROP udp -- vif+ * 0.0.0.0/0 > > 0.0.0.0/0 udp dpt:68 > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > > 0.0.0.0/0 ctstate RELATED,ESTABLISHED > > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > > 0.0.0.0/0 > > 0 0 ACCEPT all -- lo * 0.0.0.0/0 > > 0.0.0.0/0 > > 0 0 REJECT all -- * * 0.0.0.0/0 > > 0.0.0.0/0 reject-with icmp-host-prohibited > > > > Seems I'm filtering all this traffic, which would cause problems... > > > > I tried recreating Firewall-VPN from scratch, and ran `iptables -L -nv` > > immediately after adding qubes-updates-proxy > > > > [user@sys-firewall-vpn2 ~]$ sudo iptables -L -nv > > Chain INPUT (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > > destination > > 0 0 DROP udp -- vif+ * 0.0.0.0/0 > > 0.0.0.0/0 udp dpt:68 > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > > 0.0.0.0/0 ctstate RELATED,ESTABLISHED > > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > > 0.0.0.0/0 > > 0 0 ACCEPT all -- lo * 0.0.0.0/0 > > 0.0.0.0/0 > > 1 52 REJECT all -- * * 0.0.0.0/0 > > 0.0.0.0/0 reject-with icmp-host-prohibited > > > > Doesn't seem like 8082 is automatically added. How can I add the record? > > > > You can add the rule like this: > 'sudo iptables -I INPUT -p tcp --dport 8082 -j ACCEPT' > > '-I INPUT' Inserts the rule at the top of the INPUT chain (You can > specify a number here, like '-I INPUT 2' to specify position.) > > -p tcp = specifies Protocol is tcp > --dport = Destination PORT > > Try that and see if it works for you. > If this is the solution, (and I think it is), the you can add this line > in /rw/config/qubes-user-firewall-script - look at the docs on the Qubes > firewall to help here. > > This is a known issue in proxyVMS - in fact I've fixed it and that code > is merged but, I guess, you havent yet got it. > > Make sure you clean up any other changes you may have made getting to > this point. > > unman
Thank you! This did fix it. Is the proxyVMS update included in the updated qubes-core-vm and qubes-core-vm-systemd packages? If not, how can I make sure I get updates like this in the future? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b98f0e12-b63a-46b8-bf74-9c915b477c0f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
