On Saturday, 10 February 2018 21:45:30 UTC, Marek Marczykowski-Górecki wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Fri, Feb 09, 2018 at 04:12:57PM -0800, joev...@gmail.com wrote:
> > On Friday, 9 February 2018 19:02:09 UTC-5, Alex Dubois wrote:
> > > On Friday, 9 February 2018 23:59:52 UTC, Alex Dubois wrote:
> > > > On Friday, 9 February 2018 16:36:14 UTC, joev...@gmail.com wrote:
> > > > > Yes, thanks for pointing out the typos. They are only mistakes in
> > > > > this post. I use a script running in dom0 to generate pretty much
> > > > > everything. The same script works when debian-8 is used. The
> > > > > interface is different depending on the template
> > > >
> > > > I confirm I have the same issue.
> > > > Please however note that I have another PCI NIC connected to an AppVM
> > > > (My qubes also act as a firewall for home network) and we have no issue
> > > > connecting outbound.
> > > > Outbound connection as you know do not need the PRE-ROUTING rules, so
> > > > also the problem is seen on the FORWARD rule, I suspect more the
> > > > PRE-ROUTING rule is at fault and does not do its job.
> > > > I'll try to dig into this, however I won't have much time this week...
> > >
> > > Also, could you clarify if you've tested on FirewallVM and if here again
> > > Debian is OK and Fedora not. This might rule out issues with physical
> > > cards (which I suspect is not the problem as PRE-ROUTING does get the
> > > packet).
> >
> > Yes, if the template on sys-net is changed to Debian-8, but sys-firewall
> > (FirewallVM) is left with fedora... sys-net does send the packet to
> > sys-firewall, which then appears the same way... PREROUTING sees it, but
> > FORWARD does not.
>
> An idea: Debian don't have nftables installed by default, so
> qubes-firewal fallback to iptables. But not on Fedora - there nftables
> is used. This applies to both sys-net and sys-firewall.
>
> A quick test:
>
> 1. List rules:
>
> nft list table ip qubes-firewall
>
> 2. Add rule accepting traffic from eth0:
>
> nft add rule ip qubes-firewall forward meta iifname eth0 accept
Shall I test and document firewall.md all using nft if it all works (there are
some incompatibility warning in the nftables wiki with iptables for nat that
may need us to move fully to nft)?
I'll be happy to try (in my spare time and own pace) to submit PR for all the
qubes firewall scripts in sys-net and sys-firewall if you think it is the right
way forward.
>
> - --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
>
> iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlp+rHcACgkQ24/THMrX
> 1ywR9gf/RJFy4TVihhweEh7ZqpwKTTD/JNgYCrl2nelvRwxl8awlqL/sxBBTGo39
> byprAaL/Oe+6L4aX3d/tfbmpuJ7plHIJvm9PIxQ4SVj46iEcMRJIm1xQCjV8YtFu
> bvAna5vrisuUuaEo/Kx1a7ee4gJTjHNUtTgA8N2ar+oL/csG2Vlz38zCVjAD8isf
> HoCn8H35V4zvJoVXNuFTpSBplIlxa4ouryBWT9GQktBnZ1OPqdeiKotgFX2N5sJc
> z01XQQ83HWJ+1/x+iGI9OoGidBKHI+izjSNhlyO70SW/9L1Xg+2NkaetJcO1VLHI
> TaegOvEhZkvw2X6DVeeG5fGk1nYKXQ==
> =evy9
> -END PGP SIGNATURE-
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/f217a6dc-1933-40fc-bd2e-3091de7d19e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.