On Mon, Jun 03, 2019 at 04:11:42PM +0000, ronpunz wrote: > > On 6/3/19 12:10 PM, unman wrote: > > On Mon, Jun 03, 2019 at 09:28:01AM +0000, ronpunz wrote: > > > On 6/3/19 12:54 AM, unman wrote: > > > > On Sun, Jun 02, 2019 at 06:24:33PM +0000, ronpunz wrote: > > > > > On 6/2/19 3:11 PM, unman wrote: > > > > > > On Sun, Jun 02, 2019 at 02:04:57PM +0000, ronpunz wrote: > > > > > > > On 6/2/19 1:46 PM, unman wrote: > > > > > > > > On Sun, Jun 02, 2019 at 01:41:48PM +0000, ronpunz wrote: > > > > > > > > > On 6/2/19 1:06 AM, unman wrote: > > > > > > > > > > > Not sure which direction to go next and to be honest, > > > > > > > > > > > feel a bit out of my > > > > > > > > > > > depth. When I started this task I thought there was a > > > > > > > > > > > simple correlation > > > > > > > > > > > between openFW to sys-net and fw to sys-firewall. In > > > > > > > > > > > reality it seems a > > > > > > > > > > > fair bit more complicated than that. For example, fw > > > > > > > > > > > seems to have a dual > > > > > > > > > > > firewall and network interface role? > > > > > > > > > > > > > > > > > > > > > I dont understand what this means. > > > > > > > > > > There is simple correlation as you describe, it's just that > > > > > > > > > > fw needs to > > > > > > > > > > do a little more work to provide the internal interface to > > > > > > > > > > the HVM. > > > > > > > > > > > > > > > > > > > > What error do you get when you bring up em0? > > > > > > > > > > What's the output from ifconfig? > > > > > > > > > > > > > > > > > > > I note the ifconfig screen shots were missed off my reply. > > > > > > > > > > > > > > > > > > They should be here > > > > > > > > > > > > > > > > > I'm sorry - can you cut and paste the contents rather than > > > > > > > > imaging? > > > > > > > Copy/paste as requested > > > > > > > > > > > > > ?? > > > > > > I cant see the images - paste the contents in the mail. > > > > > > > > > > > Sorry. I'm a bit confused. I pasted them in the mail and they're > > > > > viewable on > > > > > the qubes user forum at > > > > > https://groups.google.com/forum/#!topic/qubes-users/MpXLhz5COvM > > > > > > > > > > Please let me know if there's more i can do > > > > > > > > > I cant view them. > > > > Please post the contents, not pictures. > > > > > > > Gotcha. However, that's easier said than done. After trying and failed > > > using > > > various OCR software. To cut a long story short, I've ended up typing the > > > whole thing out as follows: > > > > > > joo# ifconfig > > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768 > > > index 5 priortity 0 llprio 3 > > > groups: lo > > > ininet6 :: 1 prefixlen 128 > > > inet6 fe80 ::1%lo0 prefixlen 64 scopeid 0x5 > > > inet 127.0.0.1 netmask 0xff000000 > > > xnf0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > > lladdr 00:16:3e:5e:6c:00 > > > index 1 priortity 0 llprio 3 > > > media: ethernet manual > > > status: active > > > inet: 10.137.0.10 netmask 0xff000000 broadcast 10.255.255.255 > > > re0: flags =8802<UP,BROADCAST,SIMPLEX,MULTICAST> mtu 1500 > > > lladdr 1c:1b:0d:a4:1e:e4 > > > index 2 priortity 0 llprio 3 > > > media: ethernet autoselect (none) > > > status: no carrier > > > em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > > lladr 68:05:ca:55:75:6f > > > index 3 priortity 0 llprio 3 > > > groups: egress > > > media: ethernet autoselect 1000baseT > > > (full-duplex,master.rxpause,txpause) > > > status: active > > > enc0: flags=0<> > > > index 4 priortity 0 llprio 3 > > > groups: enc > > > status: active > > > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136 > > > index 6 priortity 0 llprio 3 > > > groups: pflog > > > > > > I'm now able to successfully ping 8.8.8.8 but not google.com. Indicating a > > > dns issue? > > > > > > The dns setting in pf is iptables -t nat -I PR-QBS -p udp --dport 53 -j > > > DNAT > > > --to 9.9.9.9 > > I'm sorry for the pain in doing this - you could always have booted the > > openBSD qube with a USB attached, and transferred the files that way. > > Like a sneakernet but smaller scale - a fingernet? > > > > You dont say *from where* you are able to ping. Yes, this looks like a > > DNS issue. > > > > If you want to get this working from the BSD qube, then check > > /etc/resolv.conf > > This isn't necessary - in fact you may prefer NOT to allow outgoing > > traffic originating from the openBSD firewall. > > > > You say that rule you have is "in pf" - do you mean "in fw"?? It's just > > not a pf thing. > > So if it *is* in fw, and you are able to ping from fw, then this is looking > > good. > > Simplest way to proceed is to set /etc/resolv.conf in fw to use 9.9.9.9 > > > > Give just a little more detail on what's working and from where. > > > Yes, you're right I need to clarify some points. > > 1/ The pinging I referred to i.e. 8.8.8.8 & google.com was from openFW > > 2/ The rule I referred to in pf was a typo and as you guessed, should read > fwVM > > 3/ As suggested, I've input into /etc/resolv.conf "nameserver 9.9.9.9" > > 4/ Have tried to ping from fwVM 8.8.8.8 . It returned "network is > unreachable" > > 5/ Have tried to ping from fwVM google.com . It returned "temporary failure > in name resolution" >
This suggests to me that you havent yet set a default route on fw. You need to set route on fw to use openFW as gateway. I think you said you can ping openFW from fw. You also need to configure openFW to forward packets and NAT trafic. And alter raw table on fw to accept external traffic on vif interface Testing to do: >From fw - ping openFW ping 8.8.8.8 - use 'iptables -L -nv' to watch traffic in and out. Look at '-t nat' and '-t raw' to see if traffic is being dropped. on openFW: tcpdump -i <iface> -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190604145916.6p4nae2roogntifk%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
