Hi Unman Thanks ! Thats is exactly what I wanted to accomplish. Although I could use a little clarification on a couple things.
> You can examine the IP addresses allocated to the qubes using > "qvm-ls -n". I ran this command and there are three ip addresses listed for most of the qubes. Going from left to right---> I know the first one is the qube ip address. The second ip address is only given to proxy-vms (What is this ip for?) And the third ip address is the up stream gateway ip?? > Each firewall provides masquerade NAT to downstream qubes. This means > that you can simply do the following: > firewall-vm0 : eth0 - 10.137.10.10 > firewall-vm1 : eth0 - 10.137.10.100 I'm sure you can guess my next question. Those two ip addresses would be the actual ip of the qubes. (sorry I have to be sure : ) Essax Sent with [ProtonMail](https://protonmail.com) Secure Email. > -------- Original Message -------- > Subject: Re: [qubes-users] Sys-net with a 2 port NIC, how to allow/block > interfaces? > Local Time: July 5, 2017 9:24 PM > UTC Time: July 6, 2017 1:24 AM > From: [email protected] > To: Essax <[email protected]> > Google groups Qubes-users <[email protected]> > On Wed, Jul 05, 2017 at 08:08:02PM -0400, "Essax" via qubes-users wrote: >> I have laptop with a 2 port NIC. I would like to have 1 subset of appVMs >> that are connected to sys-net to use the eth0 interface and the other subset >> to use the eth1 interface. It is not possible to assign 1 port into seperate >> sys-nets. I have tried that and only eth0 will function. Its also my >> understanding that eth0 is the interface used between qubes. ( is this >> wrong? ) If so would this prevent me from using iptables in firewall-vm1 to >> block traffic to the eth0 interface. That would block traffic to sys-net as >> well (I think). The only solution I have come up with would be to go to dom0 >> GUI --> appvm1---> edit VM firewall rules ---> allow networks except >> 172.16.1.1/24 . This would not block traffic to the eth0 interface but it >> would prevent if from going any further than the 172.16.1.1 pfsense >> interface. Then I could do the same for firewall-vm0 and block it from the >> 192.168.1.1 pfsense interface. Is there a better way to do this with >> iptables. >> pfsense-----192.168.1.1/24------------eth1--------firewall-vm1--------appvm1 >> sys-net >> pfsense-----172.16.1.1/24--------------eth0--------firewall-vm0--------VPN/proxyvm--------appvm0 >> >> Thanks in advance >> Essax > I"m not sure what you mean by "eth0 is the interface used between > qubes". Each qube is attached to its upstream proxy, its eth0 > connecting to a vifX interface on the proxy. > You can examine the IP addresses allocated to the qubes using > "qvm-ls -n". > On your proposal the downstream qubes would only be able to connect to > the networks attached to eth0 and eth1. This may be what you want. If > you want to connect to the net (or another network) via those connected > networks, there is an alternative. > Each firewall provides masquerade NAT to downstream qubes. This means > that you can simply do the following: > firewall-vm0 : eth0 - 10.137.10.10 > firewall-vm1 : eth0 - 10.137.10.100 > On sys-net- > iptables -I FORWARD -o eth0 -j DROP > iptables -I FORWARD -o eth1 -j DROP > iptables -I FORWARD -s 10.137.10.100 -o eth1 -j ACCEPT > iptables -I FORWARD -s 10.137.10.10 -o eth0 -j ACCEPT > Those rules explicitly block and allow traffic. You could combine into > one rule but this makes it clearer what is happening and will allow you > to track counters as traffic flows. > I think it"s neater than your proposal. > You"ll also want to keep the rules allowing established traffic back > though sys-net. > You can put these rules in to rc.local, and qubes-firewall-user-script, > as set out here: > www.qubes-os.org/doc/firewall > unman > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/20170706012459.nixgcf6n3mwqwobt%40thirdeyesecurity.org. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/WszUs9sGM9qi48M2RaOxkmtA5od7C02DWQdga-3Im3D960qCOv7CkSuSqp10tSctYnMrnZGuWWmYgbWH5J4r1p9SIrZKzw3UFyErA94U5wc%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
