[qubes-users] Re: Help: Qubes dom0 update interrupted, kernel panic resulted
Just to clarify, the original abort/glitch happened after all updates were successfully *downloaded*, but during the upgrade/install process itself. At present when I try to do: sudo dnf check-update I get: Failed to synchronize cache for repo 'qubes-dom0-cached', disabling. I have already tried doing: qubes-dom0-update --clean and it has no effect on the issue. I believe some packages are still "stuck" in the local qubes-dom0-cached repo, but I have no idea how go about fixing this issue and getting back on track. Could someone please advise next steps to get this resolved? Thanks.. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1b952462-7461-4559-82a1-8be13e2792e6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Help: Qubes dom0 update interrupted, kernel panic resulted
Qubes 3.2 Last night I was updating dom0, but in the middle of the update I accidentally hit some keys on the keyboard, which I now in hindsight realize must have included Ctrl-Z. At that point the update just stopped and froze at item 13/42 which just so happened to be qubes kernel 4.14.67-1. I tried to exit the console but was told there were stopped jobs (update was backgrounded no doubt). Not knowing any better in the moment, I force restarted my computer and retried the dom0 update. It did successfully re-download and install the new kernel, but also said that was the only new thing to be installed, and did not make any attempt to pick up where it left off and download the other remaining items, 14-through-42 of 42. I did qubes-dom0-update a few more times with the same result - it says there's nothing new available. The system seemed to think and act as though the other packages had all already been updated/installed, even though they hadn't. The next time I tried a reboot, the boot-up failed with a kernel panic and went into a boot loop. Choosing advanced options and using the older kernel 4.14.57-1 allowed me to boot up, and here I am. So what should I do from here? Is there any way to force the dom0 update to refresh or redo or reset, so that it gets everything it needs to function correctly with the newer kernel? I'm not sure what command to use or what file(s) to edit in order to forcibly instruct it to re-download and install all possible missing packages, when the normal qubes-dom0-update insists there's no update available. Right now I have a half-broken system and am not sure how to proceed. Any help would be very greatly appreciated.. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0d3a9655-c941-47f4-82ad-6c987e37d8d3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Intel ME Manufacturing Mode? (Lenovo)
Not just an Apple problem, as Lenovo was also mentioned in the article. Any Intel box could theoretically come this way. One way to look deep inside ME? Intel ME Manufacturing Mode: obscured dangers and their relationship to Apple MacBook vulnerability CVE-2018-4251 http://blog.ptsecurity.com/2018/10/intel-me-manufacturing-mode-macbook.html -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/12996d17-8bda-b422-7141-839aae6d1323%40jhuapl.edu. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Whonix-Workstation VM and associate AppVMs not connecting in Qubes 3.2
On 9/29/18 4:12 PM, 'Setherson' via qubes-users wrote: > I am using Qubes 3.2. All TemplateVMs and dom0 have been updated sometime > within the past week. > > Since about the same time, my Workstation TemplateVM and every AppVM based on > it has been unable to connect to the internet. > > The Whonix Gateway TemplateVM works fine, as does the sys-whonix NetVM. > Furthermore, all the AppVMs based on the Fedora and Debian templates work > even when routed through sys-whonix. I also have all the TemplateVMs set to > update through sys-whonix, and every one of them is able to do this with the > sole exception of whonix-ws-14. So if I had to guess, I’d say the problem > lies with the Whonix Workstation TemplateVM itself. > > When I try updating whonix-ws-14, it “hits” everything until the 10th > repository. Once it gets there, the screen shows “[working]” and stays there. > > Has anyone else run into this problem? What steps can I take to begin > troubleshooting it? > > Thanks in advance! > OK looks solved https://forums.whonix.org/t/unable-to-connect-to-internet-from-within-whonix-workstation-based-appvms-qubes-3-2/6092/5 issue was autoremove removed the workstation , sigh sudo apt-get install qubes-whonix-workstation which looks to be about 1000 packages LOL -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b5c78007-e964-5d6a-ddb4-52ee030b28bd%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Post installation - VMs are not starting
New Qubes user! First install today.
"Qubes-R4.0-x86_64.iso" (DD image) is installed.
Downloaded today (2nd October 2018)
During the install during options for TemplateVMs, Sys-usb, etc. following
error appeared:
--
[Dom 0] Error
['/usr/bin/qubes-prefs','default-kernel','4.14.18-1'] failed:
stdout:""
stderr: "Traceback (most recent call last):
File "/usr/bin/qubes-prefs", line 5, in
sys.exit(main())
File "/usr/lib/python3.5/site-packages/qubesadmin/tools/qubes_prefs.py", line
42, in main
return qubesadmin.tools.qvm_prefs.process_actions(parser, args, target)
File "/usr/lib/python3.5/site-packafes/qybesadmin/tools/qvm_prefs.py", line
116, in process_actions
setattr(target, args.property, args.value)
File "/usr/lib/python3.5/site-packages/qubesadmin/base.py", line 283, in
__setattr__
str(value).encode('utf-8'))
File "/usr/lib/python3.5/site-packages/qubesadmin/app.py" line 466, in
qubesd_call
client_socket.connect(qubesadmin.config.QUBSED.SOCKET)
FileNotFoundError: [Errno 2] No such file or directory
When I press OK, I can finish the setup and boot in Qubes OS. BUT there is no
sys-net, sys-usb or any TemplateVMs.
I then used the command "sudo journalctl" in terminal
Results (red text):
(1)
"tpm tpm0: A TPM error (6) occurred attempting to read pcr value"
### in white (TPM is disabled/deactivated (0x6))
(2)
"TDB: tdb_open_ex: could not open file /var/lib/xenstored/tdb: No such file or
directory"
"Checking store ..."
"Checking store complete."
(3)
"Failed to start Qubes OS daemon."
--2 hours later--
(4)
Some ACPI errors
(5)
Failed to find module 'uinput'
I have been searching GitHub and Reddit. This could be similar.
#3028 https://github.com/QubesOS/qubes-issues/issues/3028#issuecomment-322330133
If it is the same problem, why do I get it when I haven't used R3.2? remains
from a previous owner? And what do I need to do to fix it?
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/c76725a6-18d4-4910-82cb-5a474a9bfe28%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Whonix-Workstation VM and associate AppVMs not connecting in Qubes 3.2
On 10/1/18 10:23 AM, Setherson wrote: >> I should have said in my previous email that I got the same error you just >> pasted. What I did was comment out the onion server in >> /etc/apt/sources.list.d/whonix.list as well. >> >> That fixed the problem for me. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "qubes-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to qubes-users+unsubscr...@googlegroups.com. >> To post to this group, send email to qubes-users@googlegroups.com. >> To view this discussion on the web visit >> [https://groups.google.com/d/msgid/qubes-users/14B90DBC-970F-44E7-8613-4ABBA7018C5B%40protonmail.ch](https://groups.google.com/d/msgid/qubes-users/14B90DBC-970F-44E7-8613-4ABBA7018C5B%40protonmail.ch?utm_medium=email_source=footer). >> For more options, visit https://groups.google.com/d/optout. > > Just to be absolutely clear, I meant that commenting out the onion server in > whonix.list fixed the updating problem, not any of the other ones. > Another symptom is that in anon-whonix NOR whonix-ws-14 , there is no whonixcheck available strange sys-whonix-14 has whonixcheck which seems to complete fine, maybe thing to do is reinstall whonix-ws-14 at this stage ?? -- A895 0C7C A244 8E2E FD77 A3DB 180B 7D4D D158 F8B6 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e41da4d4-2c9f-c8ed-4d3c-cb30f3ccaae2%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: qubes-u2f not installing on templates
On 9/26/18 9:48 AM, paigemarie-sgozh3hwpm2stnjn9+b...@public.gmane.org wrote: > > >> All u2f-related packages area already in stable repository (since >> yesterday), so the above is not needed anymore. > > When I run `sudo apt install qubes-u2f` in my Debian template or `sudo dnf > install qubes-u2f` in my Fedora template, I get errors about not being able > to locate or match the package. > > I was able to install the dom0 package. > > I'm using Qubes v3.2 > Debian-9 and Fedora-28 Templates ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/570134bb-5491-9852-a7c9-88311c5d11cd%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Installation, no AMD-vi, interrupt mapping, etc.
Em terça-feira, 2 de outubro de 2018 09:17:43 UTC-3, Sergio Matta escreveu: > Em segunda-feira, 1 de outubro de 2018 19:55:24 UTC-3, Sergio Matta escreveu: > > Em segunda-feira, 1 de outubro de 2018 16:04:34 UTC-3, naas...@gmail.com > > escreveu: > > > Installation went fine except for a libxenlight config error of some > > > kind. I still can't enable IOMMU using either of the approaches described > > > in that Ubuntu thread, even though it successfully worked with raw Linux. > > > > > > What boot parameters did you add? I have the earlier rev.1 Sabertooth > > > 990FX mobo that you have. > > > > > > My mobo is rev.2, firmware 2901 > > I used (ivrs_ioapic[7]=00:14.0 ivrs_ioapic[8]=00:00.2). I am not using > > anymore and my qubes 4.0 is working fine. > > > > But ubuntu forum has a solved solution with different ioapic: > > Quick solution for Sabertooth 990FX (R1.0): > > Edit file /etc/default/grub, find line "GRUB_CMDLINE_LINUX_DEFAULT=", edit > > it to look like: > > Code: > > GRUB_CMDLINE_LINUX_DEFAULT="quiet splash ivrs_ioapic[7]=00:14.0 > > ivrs_ioapic[8]=00:00.1" > > > > There are iommu info here too: > > from Xen https://wiki.xen.org/wiki/VTd_HowTo > > > > If you can not solve the iommu problem, change all vms to PV. Maybe this is > > the cause of libxenlight error. Change all vms to PV, including sys-net. > > Later I will send you the commands to start networking. > > My cpu is a AMD 1100T and PVH is not much more fast then PV. > > If you want to test it without iommu: > Change the VMs to PV, including sys-net and sys-firewall (qvm-prefs > yourvmname virt_mode PV) > Using sys-firewall terminal do: > sudo cp /etc/resolv2.conf /etc/resolv.conf (resolv2.conf has your preferred > nameservers) > ping -c 2 10.137.0.8 (to create vif interface) > sudo ip link set vif3.0 up > sudo ip addr add 10.137.0.4//255.255.255.255 dev vif3.0 > sudo ip route add 10.137.0.8/255.255.255.255 dev vif3.0 > - Save the commands above in /rw/config/rc.local and make it executable > (chmod +x /rw/config/rc.local): > Using sys-net terminal do: > Save then in /rw/config/rc.local and make it executable: > ip link set vif2.0 up > ip addr add 10.137.0.3/255.255.255.255 dev vif2.0 > ip route add 10.137.0.4 dev vif2.0 > It should works. PS: in the command "sudo ip route add 10.137.0.8/255.255.255.255 dev vif3.0", change the 10.137.0.8 to your correct VM IP -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b428062f-b0c2-48d7-af00-043326d80816%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Installation, no AMD-vi, interrupt mapping, etc.
Em segunda-feira, 1 de outubro de 2018 19:55:24 UTC-3, Sergio Matta escreveu: > Em segunda-feira, 1 de outubro de 2018 16:04:34 UTC-3, naas...@gmail.com > escreveu: > > Installation went fine except for a libxenlight config error of some kind. > > I still can't enable IOMMU using either of the approaches described in that > > Ubuntu thread, even though it successfully worked with raw Linux. > > > > What boot parameters did you add? I have the earlier rev.1 Sabertooth 990FX > > mobo that you have. > > > My mobo is rev.2, firmware 2901 > I used (ivrs_ioapic[7]=00:14.0 ivrs_ioapic[8]=00:00.2). I am not using > anymore and my qubes 4.0 is working fine. > > But ubuntu forum has a solved solution with different ioapic: > Quick solution for Sabertooth 990FX (R1.0): > Edit file /etc/default/grub, find line "GRUB_CMDLINE_LINUX_DEFAULT=", edit it > to look like: > Code: > GRUB_CMDLINE_LINUX_DEFAULT="quiet splash ivrs_ioapic[7]=00:14.0 > ivrs_ioapic[8]=00:00.1" > > There are iommu info here too: > from Xen https://wiki.xen.org/wiki/VTd_HowTo > > If you can not solve the iommu problem, change all vms to PV. Maybe this is > the cause of libxenlight error. Change all vms to PV, including sys-net. > Later I will send you the commands to start networking. My cpu is a AMD 1100T and PVH is not much more fast then PV. If you want to test it without iommu: Change the VMs to PV, including sys-net and sys-firewall (qvm-prefs yourvmname virt_mode PV) Using sys-firewall terminal do: sudo cp /etc/resolv2.conf /etc/resolv.conf (resolv2.conf has your preferred nameservers) ping -c 2 10.137.0.8 (to create vif interface) sudo ip link set vif3.0 up sudo ip addr add 10.137.0.4//255.255.255.255 dev vif3.0 sudo ip route add 10.137.0.8/255.255.255.255 dev vif3.0 - Save the commands above in /rw/config/rc.local and make it executable (chmod +x /rw/config/rc.local): Using sys-net terminal do: Save then in /rw/config/rc.local and make it executable: ip link set vif2.0 up ip addr add 10.137.0.3/255.255.255.255 dev vif2.0 ip route add 10.137.0.4 dev vif2.0 It should works. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f74db636-c0e9-478a-94bc-918043982959%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Question before buying a new laptop
On 10/02/2018 04:53 AM, ben.thomp...@vfemail.net wrote: > Hi, > some time ago i discovered qubes, but my laptop did not support it and i > did not follow the developments. > Now my old laptop is broken and i am about to buy a new one. This question has been asked and then answered like 20+ times by me, twice in the last week. > > I have a few questions: > How well does passing a dedicated graphics card to a vm work / is gaming > in a vm feasible or do i still need dual-boot? Yeah very feasible many people do it including me. Of course you need the right system you would need an eGPU capable laptop such as the W520 which you should install an quad core ivy bridge cpu in so you get pci-e 3.0 for the expresscard slot. As always I recommend installing coreboot - the ivy/sandy coreboot port has open cpu/ram init and supports me cleaner to nerf your me (again disabling is impossible) I would probably just pick up a workstation board like the KCMA-D8 though as laptop dgpu gaming needs an external monitor if you want to do it in a VM. > > Did anyone try a Lenovo Legion Y530 and can me write how well it works > with qubes? (i would upgrade the ram to 16 or 32 GB) > (I did not see any entry in the list (https://www.qubes-os.org/hcl/).) > > Best > ben > > > - > > ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of > the NSA's hands! Haha. > $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No > bandwidth quotas! No such thing as a lifetime account FYI, eventually these services get too top heavy and run out of money. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fd16a5c6-5ee7-04e2-8e50-a76aaa05fb5a%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] nftables vs iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/1/18 11:48 PM, mfreemon wrote: > What is the best practice recommendation on this (for R4, Fedora > 28 template)? Are we to be using, exclusively, nftables in R4? The intended benefit was that in case of nftables qubes firewall not needed to be reloaded all the time. But: until nftables is not a complete iptables replacement, Qubes is still needs iptables too. My personal opinion that this mixed setup causing more confusion, and do not provide any real benefits at all. - -- Zrubi -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAluzQnQACgkQVjGlenYH FQ20CQ//X1uSjJbzce00spcrL/tGtXZaYfP6BGlfzyExTPmdZlQB4TwtjCpe65MM kaH5iUuw51FWeZgPbvn3Sk09QJQYwCbYuVzBl2+XpEky5ltFPqnRvpIe+HaSIeCM YJwG4jrnss8uzWS04gJtvdOOB01dLe1HnckIvuU+QQk0aJuke9YqZmrdfl1vlAa9 iJ3+MYYIpBwEbXBcI0riBwLqUK7FqqmL39v1UFqx39IioS2q9XO1kO3RAhupwsre Jxg781Z+6qbXdmE9lztF4CpNPccHcx+gtKBv4XthS8aqP40FVGvAaoAU4bKCedQC HrI3Y8ZjcsE1kSQxkf3bHDWX6Q12lKbZC7HWfjGe3J6akgGKTIjkNfx8mbrG5/7N 1Os3OhBCJ4i4R+WEpCunyVPsZlc2CJM0SnKDXgTCWUKRPL0bZW6rm9MjvwJqBP/w oV8vgR0JMNExMg+kSb5AsFdSKeaPu4sDmOhw3PwYRwNsluNxCTlwtLmyBQZDSiCV xTH3gjD/Qaf+A9EBD4qt2Ie3d/FpvYhUQlor/PoRRZeJe5dkA1CLT6fUQv6lMwUY o3tIdiR3w8fyKtlQK62FunBu7yjt7CiMJB3KWY4C1G9lonnJQdcxOV64IBJMUPLI V3nKirJmAhvekT7HwTvsKqgsOSebD9K385rboyntdjsmBq45jQk= =vNfP -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d9e016ed-3066-e219-6d9a-4837fe7f50ee%40zrubi.hu. For more options, visit https://groups.google.com/d/optout.
[qubes-users] boot qubes with detached luks header on sdcard ?
I wonder if I could encrypt my (only) disc is a "headerless" more and store the header on a separate sdcard. Once any linux-type system is completely is booted this is easy. But can the qubes bootloader do that? (this needs to find and mount the sdcard first, then fetch the header there ). Some experience with that? Cheers, Bernhard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/770005ca-4733-d831-136e-6ee5dcc5fedd%40web.de. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Question before buying a new laptop
Hi, some time ago i discovered qubes, but my laptop did not support it and i did not follow the developments. Now my old laptop is broken and i am about to buy a new one. I have a few questions: How well does passing a dedicated graphics card to a vm work / is gaming in a vm feasible or do i still need dual-boot? Did anyone try a Lenovo Legion Y530 and can me write how well it works with qubes? (i would upgrade the ram to 16 or 32 GB) (I did not see any entry in the list (https://www.qubes-os.org/hcl/).) Best ben - ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181002085350.Horde.bTmFcronTqAakq6a-rpB9bT%40www.vfemail.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] nftables vs iptables
On 10/2/18 1:32 AM, Chris Laprise wrote: > On 10/01/2018 05:48 PM, mfreemon wrote: >> On 1/11/18 3:01 PM, Chris Laprise wrote: >> > On 01/10/2018 03:47 PM, Connor Page wrote: >> >> The official templates use nftables so shouldn’t be mixed with >> iptables. I didn’t have time to learn about nftables, so just removed >> nftables package from debian 9 template. YMMV. >> >> >> > >> > Hmmm, I was just thinking how Qubes' own guest scripts still use >> > iptables even in fedora-26. >> > >> > IIUC, iptables and nft are two different interfaces to netfilter. I >> > don't know if it really matters, at least for the R4.0 window. I'd >> > prefer to put the syntax change (for docs) off until a later release. >> >> I was recently thrown by the mix of both nftables and iptables in R4. >> >> The qubes docs don't clarify much. The qubes firewall scripts use >> nft. Most of the discussion on the qubes website documentation is >> about iptables, but there are also a few mentions of nft. The upgrade >> instructions (going from R3.2 to R4) did not mention converting rules >> from iptables to nftables. It looks like other related projects (one >> example is qubes-tunnel) is using iptables. >> >> Just reading a few things and trying to come up to speed, I get the >> impression that nftables and iptables should not both by used at the >> same time. Even if technically possible (i.e. both sets of rules >> applied correctly), it strikes me as not a great idea to maintain >> packet filtering rules in two different ways. >> >> What is the best practice recommendation on this (for R4, Fedora 28 >> template)? Are we to be using, exclusively, nftables in R4? > > The last I read about this (for 4.0) is that nftables is used in Fedora > Qubes code, but Debian Qubes is still using iptables. That still appears > to be the case since nftables is not installed in my debian-9 templates. > > I've submitted qubes-tunnel to Qubes with iptables commands only, with > the intention to transition to nftables (or that other new interface in > Linux, name escapes me just now) for Qubes 4.1. Someone who is just > starting a project might be better off going with nftables. ... until yet another packet filtering mechanism replaces nftables (in that case, bpfilter [1]). I understand the rationale behind using nftables [2] but given how it is widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it wasn't worth it. The OP's post confirms there's quite some confusion about how it interacts with iptables, and the official documentation is far from helpful. I'm quite proficient with iptables and networking in general but it took me half an hour to understand how to tweak Qubes' nftables rules last time I wanted to change something in the firewall, while I would have done that task in less than one minute with iptables. I could have spent a few hours learning nftables to improve the official doc but at my age I prefer to spend time learning tech that significantly improves things (eg. Qubes OS over standard linux distribution) over loosing time learning stuff that is only marginally better. Anyway - I digress :) [1] https://old.lwn.net/Articles/747551/ [2] https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/038dbfeb-9bbc-2bd5-2a96-06c761d54a52%40maa.bz. For more options, visit https://groups.google.com/d/optout.
