So I tried removing the rule today and attempted to do a templateVM Update Oddly enough it updates just fine and my setting on qubes-rpc for TemplateVM updates is set as my sys-net vm
Not unless this is because I have already done an update without removing the iptables rule first which caused a complete sync of repository metadata Thus, when I removed the rule and did an update again, there were no problems because metadata has already been sync'd. Or do you think this hypothesis is wrong? On Monday, April 8, 2019 at 8:16:21 PM UTC+8, unman wrote: > On Mon, Apr 08, 2019 at 01:35:45PM +1000, haaber wrote: > > > So I was doing some security checks on a whim in my Qubes machine until I > > > stumbled upon discovery that my the INPUT chain of iptables in my net VM > > > has a rule of accepting all tcp connections to port 8082 coming from > > > anywhere > > > > I checked and confirm the same line in my sys-net: > > > > -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT > > > > I cannot offer insightful help at the moment. To permanently change the > > iptables, you might find clues in the qubes-firewall documentation. > > Otherwise, searching a bit I got here > > https://github.com/QubesOS/qubes-issues/issues/3201 the impression that > > this port is used for non-torified Qubes updates proxy. Do update > > mechanisms still work (the torified && non-torified one) if you remove > > the line manually? > > It is indeed part of updates-proxy, which I assume you have enabled in > sys-net. > Sphere reports the rule allowing "coming from anywhere" - if this is o > then they must override the default - as haaber reports the default rule > allows traffic originating from the vif+ interfaces. > I guess this is a hangover from 3.2, as templates now use qubes-rpc, > but it does allow you to use proxy settings in your qubes and perform > package updates/installs. About that, sorry I forgot to specify which interface it was. By "anywhere" I had intended to mean any source ip address would be permitted to connect to port 8082 but as for the interface, it's definitely vif+ Welp, I suppose I'll do more testing in the following days before concluding that it's safe to just permanently remove it from the iptables rules since it doesn't break my updating of TemplateVMs I'll just leave this iptables command here for reference: sudo iptables --insert INPUT 1 -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/545aceee-38b9-48a8-b392-475fbcbe864d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
