On Friday, 21 August 2020 at 16:58:48 UTC+8 54th Parallel wrote: > I'm having the same issue with disposable firewalls built on > debian-10-minimal, with the minimum amount of packages, on > brand-spanking-new installations (plural) being unreliable firewalls. They > sometimes function but not all the time--and this is what's scary, because > there's no way of knowing without manually checking all the time. The > warning prompts when editing firewall rules aren't useful indicators since > they always appear regardless of whether filtering is happening. > > I ran systemctl in both and found that qubes-firewall.service is not > running in either, despite having manually activated them. I'm not a > technical person, but this seems like a pretty critical issue to me > (unreliable firewall with no indicator)--a warning about using minimal > debian as templates for firewalls should be put up somewhere highly visible. > > This unreliability has been bugging me for a while and I've been testing > and testing (to the best of my abilities) before realizing that this is > almost certainly not a user issue, so Sven, the OP, probably either ran > into the issue again, didn't know about his deactivated firewalls, or > didn't report the issue. >
After some more probing around, I think I've found the issue, and that what I wrote earlier contains inaccuracies. The unreliable firewall might not be a debian-10-minimal issue, though the warning prompt that appears whenever editing firewall rules in a connected VM is. My setup has two firewalls--one behind sys-net and another behind a VPN VM. Though the two firewalls are clones of one another, the sys-net firewall works (responds to rules set in appVMs) and the proxyVM firewall doesn't. This is what caused me to think that deb-10-min firewalls in general are unreliable--some things are connected to the net-firewall (sometimes) and most are connected to the VPN-firewall. This makes it look like the firewalls work sometimes. I have two laptops running Qubes with the same setup. Of the four firewalls, all with qubes-firewall explicitly enabled, only one actually has the qubes-firewall.service show up after typing 'systemctl | grep firewall'. Each of these firewalls were created in fresh but updated installations of 4.0.3 with the absolute minimum amount of packages (qubes-core-agent-passwordless-root (so I can configure sudo prompt), qubes-core-agent-networking, apparmor*) and the typical settings, along with qubes-vm-hardening (vm-boot-protect enabled). Any insight into this would be greatly appreciated since this is a massive headache for me. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4ce48a47-2bec-4d61-a855-5ef83b61d1f9n%40googlegroups.com.
