On Fri, Apr 28, 2017 at 06:08:42PM -0400, Gaiko Kyofusho wrote: > I thought I would make use of Qubes firewall feature and try blocking some > sites. I 1st tried in the firewallVM -> settings -> firewall rules and > added some sites, doubleclick.net for example > > I closed it etc then went back to it and saw this error: > > The sys-firewall AppVM is not network connected to a FirewallVM > You may edit the sys-firewall VM firewall rules but these will not take > effect until you connect it to a working firewallVM > > ?? I was editing the rules in the sys-firewall VM so I am not sure about > that, unless perhaps because I have a VPN running? (the the VPN is behind > not infront of the firewall). > > I tried the same setup/rules but instead of in the sys-firewall VM i tried > it in my personalVM and while i didn't get an error there, it also didn't > seem to block sites like doubleclick.net? > > I assume I am doing something wrong but am not sure what as I thought I was > doing as the qubes firewall doc instructed?
The Qubes firewall is set for each qube. So if you want to block a particular qube from accessing a site you make a change in the firewall for that qube, and it is implemented in iptables on the proxyVM upstream of the qube. You have tried to set a rule on the firewallVM, and the error message is telling you that sys-net does not act as a firewallVM. If you want to block traffic FROM sys-firewall then you can set iptables rules ON sys-firewall and set them from rc.local or qubes-firewall-user-script in /rw/config. Alternatively you can write custom rules in sys-net and implement them there to block traffic from downstream qubes. A major problem in doing this is that iptables acts on IP addresses. If you want to block something like doubleclick.net then you would have to block all the IP addresses associated with that domain. An alternative approach would be to make entries in /etc/hosts resolving to a local address. This stops any DNS resolution and effectively blocks access to the site. If you look online there are many examples of hosts files that use this technique to block access to questionable sites. hth unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170428222620.GA13480%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
