On Mon, Feb 12, 2018 at 12:03:46PM +0200, Ivan Mitev wrote:
> 
> 
> On 02/12/2018 11:42 AM, Yuraeitha wrote:
> > On Monday, February 12, 2018 at 8:21:12 AM UTC+1, Ivan Mitev wrote:
> > > Hi,
> > > 
> > > In an effort to decrease R4's memory consumption I'm replacing the
> > > default fedora-26 template with a customized one based on the official
> > > minimal fedora-26 template.
> > > 
> > > I installed additional RPMs according to the documentation [1] and
> > > everything seems to be working well, with a noticeable decrease of
> > > memory usage. However I get the following error when opening a VM's
> > > firewall settings gui:
> > > 
> > > "The 'work' qube is network connected to 'sys-firewall', which does not
> > > support firewall!
> > > You may edit the 'work' qube firewall rules, but these will not take any
> > > effect until you connect it to a working Firewall qube."
> > > 
> > > But again, everything seems to work fine: the firewall rules are
> > > properly enforced, there's no problem with net connectivity, the update
> > > proxy is working, ...
> > > 
> > > There's no error message when sys-firewall is based on the default
> > > fedora-26 template so I'm likely missing something but I don't see what.
> > > I compared the qubes rpms installed in both templates but didn't notice
> > > anything striking. Maybe there's a flag/preference or something that
> > > needs to be set but I don't see where.
> > > 
> > > Any ideas ?
> > > 
> > > Thanks
> > > Ivan
> > > 
> > > [1] https://www.qubes-os.org/doc/templates/fedora-minimal/
> > 
> > 
> > It sounds odd, it usually should work changing the template. My initial 
> > thought-line on this issue goes like this, maybe it can be of use.
> > 
> > Is the iptable firewall package installed in the minimal template?
> > 
> > I'm thinking it may be iptables that is missing, since minimal templates 
> > can be used for offline purposes too, then iptables is probably not 
> > included like most other things that has been removed.
> 
> iptables is installed (that's one of the first thing I checked after I saw
> the error msg).
> 
> 
> [...]
> 
> > - If Qubes tools are installed, networking works etc, and you got iptables 
> > installed already, then my thoughts are that it's likely missing 
> > system-config-*'s and the unavoidable full array of dependencies going with 
> > it.
> 
> Hmm, what are those system-config-*s you're talking about ?
> 
> 
> > - Try clone the template and essentially go berserk and not holding back, 
> > install the entire system-config- array of packages, see if networking 
> > works. If not, then either something is still missing, or firewalling has 
> > nothing to do with the system-config packages.
> > 
> > - If it works, then try narrow down which packages that are used for 
> > firewalling, perhaps you can reduce the amount of dependency packages being 
> > pulled if you install just the package that firewall is using.
> 
> If there aren't hardcoded changes or manual configurations made in the
> default fedora-26 template then yes, installing the exact same of rpms would
> in theory fix the problem. But before spending significant time on
> installing a bunch of rpms and then dissecting I thought I'd ask fellow
> users first... Maybe the cause is obvious and I'm overlooking something.
> 

I just want to check - you say that the firewall rules are properly
enforced, and that everything works properly EXCEPT that you get a
warning.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180212162645.5fnfw2oc7u6pskn4%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to