On 6/4/19 2:59 PM, unman wrote:
On Mon, Jun 03, 2019 at 04:11:42PM +0000, ronpunz wrote:
On 6/3/19 12:10 PM, unman wrote:
On Mon, Jun 03, 2019 at 09:28:01AM +0000, ronpunz wrote:
On 6/3/19 12:54 AM, unman wrote:
On Sun, Jun 02, 2019 at 06:24:33PM +0000, ronpunz wrote:
On 6/2/19 3:11 PM, unman wrote:
On Sun, Jun 02, 2019 at 02:04:57PM +0000, ronpunz wrote:
On 6/2/19 1:46 PM, unman wrote:
On Sun, Jun 02, 2019 at 01:41:48PM +0000, ronpunz wrote:
On 6/2/19 1:06 AM, unman wrote:
Not sure which direction to go next and to be honest, feel a bit out of my
depth. When I started this task I thought there was a simple correlation
between openFW to sys-net and fw to sys-firewall. In reality it seems a
fair bit more complicated than that. For example, fw seems to have a dual
firewall and network interface role?
I dont understand what this means.
There is simple correlation as you describe, it's just that fw needs to
do a little more work to provide the internal interface to the HVM.
What error do you get when you bring up em0?
What's the output from ifconfig?
I note the ifconfig screen shots were missed off my reply.
They should be here
I'm sorry - can you cut and paste the contents rather than imaging?
Copy/paste as requested
??
I cant see the images - paste the contents in the mail.
Sorry. I'm a bit confused. I pasted them in the mail and they're viewable on
the qubes user forum at
https://groups.google.com/forum/#!topic/qubes-users/MpXLhz5COvM
Please let me know if there's more i can do
I cant view them.
Please post the contents, not pictures.
Gotcha. However, that's easier said than done. After trying and failed using
various OCR software. To cut a long story short, I've ended up typing the
whole thing out as follows:
joo# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 5 priortity 0 llprio 3
groups: lo
ininet6 :: 1 prefixlen 128
inet6 fe80 ::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
xnf0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:16:3e:5e:6c:00
index 1 priortity 0 llprio 3
media: ethernet manual
status: active
inet: 10.137.0.10 netmask 0xff000000 broadcast 10.255.255.255
re0: flags =8802<UP,BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 1c:1b:0d:a4:1e:e4
index 2 priortity 0 llprio 3
media: ethernet autoselect (none)
status: no carrier
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladr 68:05:ca:55:75:6f
index 3 priortity 0 llprio 3
groups: egress
media: ethernet autoselect 1000baseT
(full-duplex,master.rxpause,txpause)
status: active
enc0: flags=0<>
index 4 priortity 0 llprio 3
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
index 6 priortity 0 llprio 3
groups: pflog
I'm now able to successfully ping 8.8.8.8 but not google.com. Indicating a
dns issue?
The dns setting in pf is iptables -t nat -I PR-QBS -p udp --dport 53 -j DNAT
--to 9.9.9.9
I'm sorry for the pain in doing this - you could always have booted the
openBSD qube with a USB attached, and transferred the files that way.
Like a sneakernet but smaller scale - a fingernet?
You dont say *from where* you are able to ping. Yes, this looks like a
DNS issue.
If you want to get this working from the BSD qube, then check
/etc/resolv.conf
This isn't necessary - in fact you may prefer NOT to allow outgoing
traffic originating from the openBSD firewall.
You say that rule you have is "in pf" - do you mean "in fw"?? It's just
not a pf thing.
So if it *is* in fw, and you are able to ping from fw, then this is looking
good.
Simplest way to proceed is to set /etc/resolv.conf in fw to use 9.9.9.9
Give just a little more detail on what's working and from where.
Yes, you're right I need to clarify some points.
1/ The pinging I referred to i.e. 8.8.8.8 & google.com was from openFW
2/ The rule I referred to in pf was a typo and as you guessed, should read
fwVM
3/ As suggested, I've input into /etc/resolv.conf "nameserver 9.9.9.9"
4/ Have tried to ping from fwVM 8.8.8.8 . It returned "network is
unreachable"
5/ Have tried to ping from fwVM google.com . It returned "temporary failure
in name resolution"
This suggests to me that you havent yet set a default route on fw.
You need to set route on fw to use openFW as gateway.
I think you said you can ping openFW from fw.
You also need to configure openFW to forward packets and NAT trafic.
And alter raw table on fw to accept external traffic on vif interface
Testing to do:
From fw - ping openFW
ping 8.8.8.8 - use 'iptables -L -nv' to watch traffic in and out.
Look at '-t nat' and '-t raw' to see if traffic is being dropped.
on openFW:
tcpdump -i <iface>
Thanks
I'll make the suggested changes and testing you suggested.
In the meantime, I've noticed I made an omission from your guide/notes;
line 43 states "Run firewall script". Frankly, I've no idea how to do
this in openFW. Could you please be more explicit?
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ffb51cba-1ddb-4dc3-995b-7bb66d0203ff%40riseup.net.
For more options, visit https://groups.google.com/d/optout.
