On Fri, 6 Oct 2017 10:20:18 -0400 Ed <e...@edjusted.com> wrote: > What I would like to do is add a second IP to both sys-firewall and > sys-net so that I can NAT traffic from one of my VM's in/out through > these IP's. So what I end up with is two IP's on sys-net, one > handling all the traffic for most of my VM's, the other handling > traffic for one specific VM. This way I can do additional firewall > restrictions on this VM in my networks. > > If I manually add the IP addresses to sys-net and sys-firewall, > manually add the destination NAT and source NAT rules to both as > well, then manually add a route in sys-net, and also force another > rule into the IPTABLES raw table on sys-net (to override a rule added > by /etc/xen/scripts/vif-routes-qubes which restricts all incoming > traffic from sys-firewall to the IP assigned by qubes to the default > interface), then I'm able to make this work. > > However, this is very finicky and totally unscriptable in this > configuration, and I'd really like this to be something auto > configured on boot. > > I've look and looked and don't see where I can add a second interface > definition to any config files. If I manually edit the xen > sys-firewall.conf file it just gets overwitten by qubes. I can do > all the iptables rules I need in the /rw/config scripts, but what I > really need is for sys-firewall to add another virtual interface for > me. > > I tried running: sudo xl network-attach sys-firewall > script=/etc/xen/scripts/vif-route-qubes ip=10.150.10.10 > backend=sys-net This will add the interface and setup sys-net with > the correct routes and rules, HOWEVER, the interface that it adds to > sys-firewall has the same IP as the existing interface which breaks > all the traffic going out of sys-firewall > > Has anyone ever had any success doing something like this? > > Any suggestions out there? > > Thanks, > Ed >
Wouldn't it be possible to add a second Firewall VM to be used solely by your special single vm? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171006171022.71d8c133.mike%40keehan.net. For more options, visit https://groups.google.com/d/optout.