On 02/03/2018 01:10 PM, David Hobach wrote: >> - open in dom0: /usr/lib/systemd/system/[email protected] >> and add "OnUnitActiveSec=1m" on the end of file. >> >> >> - Reload systemd config -> "systemctl daemon-reload" and try to test >> again. > > Doesn't changing the config and reloading all services with changed > config just reload the firewall service? > > Then of course the iptables rules are re-generated taking the expired > timer into account. So basically you're just doing a manual reload > because the automatic didn't trigger or work when it should have? > > I didn't test it though, just my guesses from reading your proposal.
When you add temporary access for a AppVM, a service and a timer are created for that VM: - qubes-reload-firewall@(VM-Name).timer - qubes-reload-firewall@(VM-Name).service then the timer is enabled. 1min later the timer is fired and it enables the service, the service checks if the rule has expired and if yes it updates the iptables rules and stops the timer. The problem without "OnUnitActiveSec=1m" is that the timer is not fired anymore (at least on my computer), it goes to "elapsed" state, and the service is not enabled never again and the VM still with full access forever. Maybe is some problem with systemd. I am not sure about the desired effect of OnActiveSec alone. If you test it first maybe the timer it's already in elapsed state and the fix doesn't work without manually stopping it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba2b684a-ff1e-fe2b-3215-924b4aa2bc14%40riseup.net. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
