On Monday, February 12, 2018 at 8:21:12 AM UTC+1, Ivan Mitev wrote:
> Hi,
> In an effort to decrease R4's memory consumption I'm replacing the 
> default fedora-26 template with a customized one based on the official 
> minimal fedora-26 template.
> I installed additional RPMs according to the documentation [1] and 
> everything seems to be working well, with a noticeable decrease of 
> memory usage. However I get the following error when opening a VM's 
> firewall settings gui:
> "The 'work' qube is network connected to 'sys-firewall', which does not 
> support firewall!
> You may edit the 'work' qube firewall rules, but these will not take any 
> effect until you connect it to a working Firewall qube."
> But again, everything seems to work fine: the firewall rules are 
> properly enforced, there's no problem with net connectivity, the update 
> proxy is working, ...
> There's no error message when sys-firewall is based on the default 
> fedora-26 template so I'm likely missing something but I don't see what. 
> I compared the qubes rpms installed in both templates but didn't notice 
> anything striking. Maybe there's a flag/preference or something that 
> needs to be set but I don't see where.
> Any ideas ?
> Thanks
> Ivan
> [1] https://www.qubes-os.org/doc/templates/fedora-minimal/

It sounds odd, it usually should work changing the template. My initial 
thought-line on this issue goes like this, maybe it can be of use.

Is the iptable firewall package installed in the minimal template?

I'm thinking it may be iptables that is missing, since minimal templates can be 
used for offline purposes too, then iptables is probably not included like most 
other things that has been removed.

If iptable is not enough, then my thoughts go like this instead;

- It seems very likely to me that it is a missing package and not a missing 
configuration. Usually swapping templates just works as long the right packages 
are installed, and no configuration required. So it "seems" that it is 
pre-configured out-of-the-box in the installed packages, for whichever package 
that is missing.

- If may be that Qubes don't provide firewall functionality if the existing 
packages work anyway. Why fix something that ain't broke? So there is a 
possibility you don't need the Qubes packages to fix this. If all the relevant 
Qubes agent's are installed, then it's probably not this causing the issue.

- If Qubes tools are installed, networking works etc, and you got iptables 
installed already, then my thoughts are that it's likely missing 
system-config-*'s and the unavoidable full array of dependencies going with it.

- Try clone the template and essentially go berserk and not holding back, 
install the entire system-config- array of packages, see if networking works. 
If not, then either something is still missing, or firewalling has nothing to 
do with the system-config packages.

- If it works, then try narrow down which packages that are used for 
firewalling, perhaps you can reduce the amount of dependency packages being 
pulled if you install just the package that firewall is using.

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to