On Sat, Dec 12, 2020 at 02:47:49PM -0500, Stumpy wrote:
> On 12/11/20 9:22 AM, unman wrote:
> > On Fri, Dec 11, 2020 at 08:56:20AM -0500, Stumpy wrote:
> > > Is there a way to ftp to another computer on my LAN from a appvm that is
> > > using a proxyvm?
> > > 
> > > I am able to ftp to other computers when I set this appvm to just use the
> > > default firewall, but sometimes I forget to set it back to use a vpn vm; 
> > > but
> > > if I have the appvm using the vpn/proxy vm then I am unable to reach any 
> > > of
> > > the other computers on my LAN?
> > > 
> > > Please advise
> > > 
> > 
> > Yes - you need to adjust the firewall rules on the vpn qube to direct
> > (ftp) traffic from the source ip to the local network - you could make
> > this *highly* specific by specifying the destination in the new rule.
> 
> pardon my ignorance but how would I do that? I know it would be in settings
> -> firewall settings but after that it gets a bit fuzzy?

Well, you cant do it there, because you need to adjust the firewall
rules implemented ON the vpn qube.

> 
> > What method are you using to set up the vpn?
> > 
> 
> I used the new community vpn setup
> 

Right - but there are 2 methods outlined on that github page (if that's what
you mean by community vpn) - 3 if you include "vpn on sys-net". Did you
follow the "iptables and CLI scripts" section?

There's an added issue that you will have to consider and that is the
nature of FTP connections - when a client connects to a server, the
server may create a link back to a port specified in the original
connection: this is non-passive(active) ftp. If your FTP server does
this then you will have to enable a route through to the client qube.

The client may instead send a PASV command - then the server *may* send
back a listening port number, and the client will create a link to that
port.

So there are 4 possibilities, and the firewall rules you need will
depend on what are the capabilities of the server. Best check on that.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201213021714.GA13508%40thirdeyesecurity.org.

Reply via email to