Re: [qubes-users] DNS issues after Debian template update

2017-04-25 Thread Unman 
On Tue, Apr 25, 2017 at 08:30:17AM -0700, adonis28...@gmail.com wrote:
> On Monday, April 24, 2017 at 4:06:11 PM UTC-4, Unman wrote:
> > On Mon, Apr 24, 2017 at 11:33:58AM -0700 wrote:
> > > On Sunday, April 23, 2017 at 6:20:33 PM UTC-4, Chris Laprise wrote:
> > > > On 04/23/2017 05:50 PM,  wrote:
> > > > > Would you mind to share these files with me from your Debian 8 
> > > > > template to see if I can fin what the problem is?!
> > > > >
> > > > > Unman, no I haven't enabled anything. I got a Debian 8 template, 
> > > > > almost clean, and then a bunch of AppVMs using it as a template.
> > > > >
> > > > > Cheers.
> > > > >
> > > > 
> > > > It turns out those two scripts I mentioned were not changed in the 
> > > > latest update (although qubes-setup-dnat-to-ns was changed slightly in 
> > > > a 
> > > > way that should have no bearing here).
> > > > 
> > > > It appears that qubes-ns is not normally created in an appVM, anyway. 
> > > > Running 'setup-ip' and 'qubes-setup-dnat-to-ns' from a shell gives me 
> > > > the same errors you posted.
> > > > 
> > > > Perhaps the cause is simpler: You may have inadvertently set the netVM 
> > > > for that appVM to 'none' or enabled blocking in the firewall settings.
> > > > 
> > > > -- 
> > > > 
> > > > Chris Laprise, tas...@openmailbox.org
> > > > https://twitter.com/ttaskett
> > > > PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> > > 
> > > Hi,
> > > 
> > > The thing is that when I set up the DNS servers manually by modifying the 
> > > /etc/hosts file to let's say 8.8.8.8, everything works properly! I think 
> > > the problem is that for some reason the iptables rules are not being 
> > > created, so the appVM can't connect.
> > > 
> > > Cheers.
> > > 
> > 
> > It's still not entirely clear to me what's going on.
> > I assume that you are changing /etc/resolv.conf rather than hosts - if
> > the latter , what entry are you putting in there?
> > And you are doing this in the appVM.
> > 
> > But the iptables rules arent being created in the netvm to which the
> > appVM is connected.
> > Are you able to use DNS from the netVM? What is in resolv.conf there and
> > what is in iptables upstream?
> 
> Hi,
> 
> Sorry I replied from my phone in a rush, you are right what I'm modifying is 
> the resolv.conf file. When I add there let's say 8.8.8.8, it resolves, so the 
> problem seems to be that the template or appVMs cannot connect to sys-fw to 
> resolve DNS names, and this seems to be due to the lack of those iptables 
> rules that are not created for some reason.
> 
> The issues applies to both, the template VM and the app VM
> 

At this stage I would start again with a clean template, make sure it's
working and then run the update again. (You can always reinstall the
original template from your install medium, if you didnt clone it, which
I hope you did.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170425183123.GB30040%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] DNS issues after Debian template update

2017-04-25 Thread adonis28850 
On Monday, April 24, 2017 at 4:06:11 PM UTC-4, Unman wrote:
> On Mon, Apr 24, 2017 at 11:33:58AM -0700 wrote:
> > On Sunday, April 23, 2017 at 6:20:33 PM UTC-4, Chris Laprise wrote:
> > > On 04/23/2017 05:50 PM,  wrote:
> > > > Would you mind to share these files with me from your Debian 8 template 
> > > > to see if I can fin what the problem is?!
> > > >
> > > > Unman, no I haven't enabled anything. I got a Debian 8 template, almost 
> > > > clean, and then a bunch of AppVMs using it as a template.
> > > >
> > > > Cheers.
> > > >
> > > 
> > > It turns out those two scripts I mentioned were not changed in the 
> > > latest update (although qubes-setup-dnat-to-ns was changed slightly in a 
> > > way that should have no bearing here).
> > > 
> > > It appears that qubes-ns is not normally created in an appVM, anyway. 
> > > Running 'setup-ip' and 'qubes-setup-dnat-to-ns' from a shell gives me 
> > > the same errors you posted.
> > > 
> > > Perhaps the cause is simpler: You may have inadvertently set the netVM 
> > > for that appVM to 'none' or enabled blocking in the firewall settings.
> > > 
> > > -- 
> > > 
> > > Chris Laprise, tas...@openmailbox.org
> > > https://twitter.com/ttaskett
> > > PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> > 
> > Hi,
> > 
> > The thing is that when I set up the DNS servers manually by modifying the 
> > /etc/hosts file to let's say 8.8.8.8, everything works properly! I think 
> > the problem is that for some reason the iptables rules are not being 
> > created, so the appVM can't connect.
> > 
> > Cheers.
> > 
> 
> It's still not entirely clear to me what's going on.
> I assume that you are changing /etc/resolv.conf rather than hosts - if
> the latter , what entry are you putting in there?
> And you are doing this in the appVM.
> 
> But the iptables rules arent being created in the netvm to which the
> appVM is connected.
> Are you able to use DNS from the netVM? What is in resolv.conf there and
> what is in iptables upstream?

Hi,

Sorry I replied from my phone in a rush, you are right what I'm modifying is 
the resolv.conf file. When I add there let's say 8.8.8.8, it resolves, so the 
problem seems to be that the template or appVMs cannot connect to sys-fw to 
resolve DNS names, and this seems to be due to the lack of those iptables rules 
that are not created for some reason.

The issues applies to both, the template VM and the app VM

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/07980fc5-01f3-4e7b-a5fa-6cf18b40ed77%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] DNS issues after Debian template update

2017-04-23 Thread Chris Laprise 

On 04/23/2017 05:50 PM, adonis28...@gmail.com wrote:

Would you mind to share these files with me from your Debian 8 template to see 
if I can fin what the problem is?!

Unman, no I haven't enabled anything. I got a Debian 8 template, almost clean, 
and then a bunch of AppVMs using it as a template.

Cheers.



It turns out those two scripts I mentioned were not changed in the 
latest update (although qubes-setup-dnat-to-ns was changed slightly in a 
way that should have no bearing here).


It appears that qubes-ns is not normally created in an appVM, anyway. 
Running 'setup-ip' and 'qubes-setup-dnat-to-ns' from a shell gives me 
the same errors you posted.


Perhaps the cause is simpler: You may have inadvertently set the netVM 
for that appVM to 'none' or enabled blocking in the firewall settings.


--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b441c13f-12b6-c17e-99c9-760b910ea31d%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] DNS issues after Debian template update

2017-04-23 Thread Unman 
On Sun, Apr 23, 2017 at 02:40:12PM -0400, Chris Laprise wrote:
> On 04/23/2017 01:33 PM, adonis28...@gmail.com wrote:
> >Hi guys,
> >
> >I've updated my Debian 8 template, and for some reason it's messed up the 
> >DNS-related iptables rules.
> 
> This still works on my Debian 8 proxyVM. Haven't tried appVM yet as I
> normally use Debian 9.
> 
> >
> >I've narrowed the problem down to this script:
> >
> >/usr/lib/qubes/qubes-setup-dnat-to-ns
> >---
> 
> >When I run it as it is, I get the following error:
> >
> >user@debian-8:~$ sudo bash /usr/lib/qubes/qubes-setup-dnat-to-ns
> >
> >/usr/lib/qubes/qubes-setup-dnat-to-ns: line 17: /var/run/qubes/qubes-ns: No 
> >such file or directory
> 
> Two scripts that create /var/run/qubes/qubes-ns are:
>   setup-ip
>   network-proxy-setup.sh
> 
> If you have a snapshot of your Debian 8 template, you could diff those files
> to see if they changed (acquired a bug).
> 

Like Chris, I dont see this problem with my Debian qubes - 8 or 9
based.
/var/run/qubes/qubes-ns isn't a script, as OP suggested -it's a file
containing the NS1 and NS2 variables. In a qube it's written from
setup-ip

You haven't somehow enabled networkManager in that appVM have you?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170423214029.GB19193%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] DNS issues after Debian template update

2017-04-23 Thread Chris Laprise 

On 04/23/2017 01:33 PM, adonis28...@gmail.com wrote:

Hi guys,

I've updated my Debian 8 template, and for some reason it's messed up the 
DNS-related iptables rules.


This still works on my Debian 8 proxyVM. Haven't tried appVM yet as I 
normally use Debian 9.




I've narrowed the problem down to this script:

/usr/lib/qubes/qubes-setup-dnat-to-ns
---



When I run it as it is, I get the following error:

user@debian-8:~$ sudo bash /usr/lib/qubes/qubes-setup-dnat-to-ns

/usr/lib/qubes/qubes-setup-dnat-to-ns: line 17: /var/run/qubes/qubes-ns: No 
such file or directory


Two scripts that create /var/run/qubes/qubes-ns are:
  setup-ip
  network-proxy-setup.sh

If you have a snapshot of your Debian 8 template, you could diff those 
files to see if they changed (acquired a bug).


--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/75b48b8f-42ba-2c96-7d66-66ddd59184af%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] DNS issues after Debian template update

2017-04-23 Thread adonis28850 
Hi guys,

I've updated my Debian 8 template, and for some reason it's messed up the 
DNS-related iptables rules.

I've narrowed the problem down to this script:

/usr/lib/qubes/qubes-setup-dnat-to-ns
---
#!/bin/sh
addrule()
{
if [ $FIRSTONE = yes ] ; then
FIRSTONE=no
RULE1="-A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $1
-A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $1"
RULE2="-A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $1
-A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $1"
else
RULE2="-A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $1
-A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $1"
NS=$NS2
fi
}
export PATH=$PATH:/sbin:/bin
. /var/run/qubes/qubes-ns
if [ "X"$NS1 = "X" ] ; then exit ; fi
iptables -t nat -F PR-QBS
FIRSTONE=yes
grep ^nameserver /etc/resolv.conf | grep -v ":.*:" | head -2 |
(
while read x y z ; do
addrule "$y"
done
(echo "*nat"; echo "$RULE1"; echo "$RULE2"; echo COMMIT) | 
iptables-restore -n
)
---

When I run it as it is, I get the following error:

user@debian-8:~$ sudo bash /usr/lib/qubes/qubes-setup-dnat-to-ns

/usr/lib/qubes/qubes-setup-dnat-to-ns: line 17: /var/run/qubes/qubes-ns: No 
such file or directory

I've commented the line that runs that script (which is not present in the 
system), and it doesn't do anything as this line exits the script ($NS1 is 
empty):

if [ "X"$NS1 = "X" ] ; then exit ; fi

So I've also commented out that line so the rules can get added, but, I get an 
error when the script adds the rules:

Bad argument `udp'
Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

It complains about '[...] -p udp [...]'

I'm not sure why I'm running into all these errors, as everything worked just 
fine before! Any ideas or suggestions are appreciated

Cheers.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4b012e44-0936-4b39-b115-e11dcbdf441d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.