What I would like to do is add a second IP to both sys-firewall and sys-net so that I can NAT traffic from one of my VM's in/out through these IP's. So what I end up with is two IP's on sys-net, one handling all the traffic for most of my VM's, the other handling traffic for one specific VM. This way I can do additional firewall restrictions on this VM in my networks.

If I manually add the IP addresses to sys-net and sys-firewall, manually add the destination NAT and source NAT rules to both as well, then manually add a route in sys-net, and also force another rule into the IPTABLES raw table on sys-net (to override a rule added by /etc/xen/scripts/vif-routes-qubes which restricts all incoming traffic from sys-firewall to the IP assigned by qubes to the default interface), then I'm able to make this work.

However, this is very finicky and totally unscriptable in this configuration, and I'd really like this to be something auto configured on boot.

I've look and looked and don't see where I can add a second interface definition to any config files. If I manually edit the xen sys-firewall.conf file it just gets overwitten by qubes. I can do all the iptables rules I need in the /rw/config scripts, but what I really need is for sys-firewall to add another virtual interface for me.

I tried running: sudo xl network-attach sys-firewall script=/etc/xen/scripts/vif-route-qubes ip= backend=sys-net This will add the interface and setup sys-net with the correct routes and rules, HOWEVER, the interface that it adds to sys-firewall has the same IP as the existing interface which breaks all the traffic going out of sys-firewall

Has anyone ever had any success doing something like this?

Any suggestions out there?


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to