On Mon, Apr 08, 2019 at 01:35:45PM +1000, haaber wrote: > > So I was doing some security checks on a whim in my Qubes machine until I > > stumbled upon discovery that my the INPUT chain of iptables in my net VM > > has a rule of accepting all tcp connections to port 8082 coming from > > anywhere > > I checked and confirm the same line in my sys-net: > > -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT > > I cannot offer insightful help at the moment. To permanently change the > iptables, you might find clues in the qubes-firewall documentation. > Otherwise, searching a bit I got here > https://github.com/QubesOS/qubes-issues/issues/3201 the impression that > this port is used for non-torified Qubes updates proxy. Do update > mechanisms still work (the torified && non-torified one) if you remove > the line manually?
It is indeed part of updates-proxy, which I assume you have enabled in sys-net. Sphere reports the rule allowing "coming from anywhere" - if this is o then they must override the default - as haaber reports the default rule allows traffic originating from the vif+ interfaces. I guess this is a hangover from 3.2, as templates now use qubes-rpc, but it does allow you to use proxy settings in your qubes and perform package updates/installs. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190408121618.lj7e6e4cs347a57d%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
