On Wed, Jun 05, 2019 at 07:28:12AM +0000, ronpunz wrote: > > Thanks > > I'll make the suggested changes and testing you suggested. > > In the meantime, I've noticed I made an omission from your guide/notes; > lineĀ 43 states "Run firewall script". Frankly, I've no idea how to do this > in openFW. Could you please be more explicit?
And that's the difference between notes and a guide. Ok - The user guide is here: https://www.openbsd.org/faq/pf/filter.html At a minimum, you need to do the following: 1. Configure openFW to allow forwarding. Without this, no traffic will pass THROUGH openFW, which is what you want. # sysctl -w net.inet.ip.forwarding=1 # sysctl -w net.inet.ip.redirect=0 2. Configure the firewall. In openBSD this is done in /etc/pf.conf: Very briefly, the rules are read in order: the last matching rule applies. You can circumvent this by putting "quick" in the rule. That stops processing. At a minimum, you want to allow traffic outbound, and you want to apply NAT. So, edit /etc/pf.conf and add rules like this: match out on egress inet from 10.137.0.0/16 to any nat-to (egress:0) pass out quick inet Then reread the rules: pfctl -f /etc/pf.conf And check: pfctl -sr This is the bare minimum - you will want to configure more protection, but that's enough to get started. Don't forget to set the route correctly on fw, and edit the raw table to allow external traffic to come in on the relevant vif interface. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190606013051.ib2zmbw5elhuozbn%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
