On Thu, Dec 20, 2018 at 10:29:31AM +0000, mossy wrote: > unman: > > On Wed, Dec 19, 2018 at 11:06:25PM +0000, mossy wrote: > >> Hello all, > >> > >> I was looking to see if I could update an offline standalone VM, by > >> appending a line to `etc/qubes-rpc/policy/qubes.UpdatesProxy` and I now > >> have some questions. > >> > >> First, I noticed the lines: > >> > >> ~~~ > >> # Default rule for all TemplateVMs - direct the connection to sys-net > >> $type:TemplateVM $default allow,target=sys-net > >> ~~~ > >> > >> Q1) Is this correct? Shouldn't updates be directed to sys-firewall > >> instead of sys-net? Are all of our templates exposed to (untrusted) > >> sys-net? > >> > >> Hopefully I am wrong about this, but either way I'd appreciate if > >> someone could explain... > >> > >> Q2) If I want to update an offline standalone VM called `OfflineSA`, > >> what would be the proper syntax in > >> `etc/qubes-rpc/policy/qubes.UpdatesProxy`? I have tried each of the > >> following without success: > >> > >> OfflineSA $default allow,target=sys-net > >> OfflineSA $default allow,target=sys-firewall > >> OfflineSA allow,target=sys-net > >> OfflineSA allow,target=sys-firewall > >> $type:StandaloneVM $default allow,target=sys-net > >> $type:StandaloneVM $default allow,target=sys-firewall > >> > >> Q3) do I need to restart my whole qubes system for any new > >> `etc/qubes-rpc/policy/qubes.UpdatesProxy` rules to come into effect? > >> > >> Q4) can update proxies perhaps only be set via some $tag or $type? > >> > >> Thank you! > >> > >> -m0ssy > > > > Q1. Yes, the default is to use sys-net. You can change this if you wish. > > (I do) > > The update proxy has always been set to sys-net by default. > > The proxy used to filter traffic, but no longer does so. Again, I change > > this behaviour. > > > > Q2. OfflineSA $default allow,target=sys-net > > should work: the syntax is right. (You do have proxy configured in > > OfflineSA?) > > > > Q3. No - changes in those rules come in to play straight away. > > > > Q4. No, they can be set on an individual basis. > > > > thanks for your reply! I do not have proxy configured in OfflineSA -- I > don't see an option in qvm-prefs anymore (thought this was all now done > in rpc-policy as of qubes 4). Can you please point me to how to configure? > > -m0ssy > Hi m0ssy
Have you installed qubes-core-agent in the standAlone? That will provide /usr/lib/qubes/update-proxy-configs and the qubes-rpc service. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181220121514.vfwwn5ny4c7hcrhm%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
