Re: [qubes-users] Re: help with sys-firewall based on minimal f26 template
fix: qvm-features fedora-26-minimal qubes-firewall 1 out of curiosity I tried to find where/when this feature is set for the default fedora-26 template: there's a comment in qubes/ext/core_features.py that says '[this feature] can be freely enabled or disabled by template' but I don't understand what it's supposed to mean - whether the template automatically sets it somehow (but then how ?) or if it can be set for each template. It's probably the latter; in that case maybe the feature is set by the template's rpm postscripts (but then I couldn't find any mention of "qvm-features" in the qubes-builder-fedora repo). See here: https://github.com/QubesOS/qubes-issues/issues/2829 In short: there is qubes.PostInstall service called just after template installation, to let template advertise supported features. I think it should be also called automatically after installing new packages (or even updating existing), because that can influence supported features - like in this case. Ah, everything makes sense now... You can try triggering it manually. From the template call /etc/qubes-rpc/qubes.PostInstall Yep, it works. for other people reading this thread, this amounts to: qvm-features-request qubes-firewall=1 qvm-features-request --commit Issue for tracking this problem: https://github.com/QubesOS/qubes-issues/issues/3579 thanks ! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f75376ef-54ee-366b-0485-c3a0a8d5ce4e%40maa.bz. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: help with sys-firewall based on minimal f26 template
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Feb 13, 2018 at 10:29:33AM +0200, Ivan Mitev wrote: > > > On 02/12/2018 07:12 PM, Ivan Mitev wrote: > > > > > > On 02/12/2018 06:47 PM, Unman wrote: > > > On Mon, Feb 12, 2018 at 06:41:49PM +0200, Ivan Mitev wrote: > > > > > > > > > > > > On 02/12/2018 06:26 PM, Unman wrote: > > > > > On Mon, Feb 12, 2018 at 12:03:46PM +0200, Ivan Mitev wrote: > > > > > > > > > > > > > > > > > > On 02/12/2018 11:42 AM, Yuraeitha wrote: > > > > > > > On Monday, February 12, 2018 at 8:21:12 AM UTC+1, Ivan Mitev > > > > > > > wrote: > > > > > > > > Hi, > > > > > > > > > > > > > > > > In an effort to decrease R4's memory consumption I'm replacing > > > > > > > > the > > > > > > > > default fedora-26 template with a customized one > > > > > > > > based on the official > > > > > > > > minimal fedora-26 template. > > > > > > > > > > > > > > > > I installed additional RPMs according to the documentation [1] > > > > > > > > and > > > > > > > > everything seems to be working well, with a noticeable decrease > > > > > > > > of > > > > > > > > memory usage. However I get the following error when opening a > > > > > > > > VM's > > > > > > > > firewall settings gui: > > > > > > > > > > > > > > > > "The 'work' qube is network connected to > > > > > > > > 'sys-firewall', which does not > > > > > > > > support firewall! > > > > > > > > You may edit the 'work' qube firewall rules, but > > > > > > > > these will not take any > > > > > > > > effect until you connect it to a working Firewall qube." > > > > > > > > > > > > > > > > But again, everything seems to work fine: the firewall rules are > > > > > > > > properly enforced, there's no problem with net > > > > > > > > connectivity, the update > > > > > > > > proxy is working, ... > > > > > > > > > > > > > > > > There's no error message when sys-firewall is based on the > > > > > > > > default > > > > > > > > fedora-26 template so I'm likely missing > > > > > > > > something but I don't see what. > > > > > > > > I compared the qubes rpms installed in both > > > > > > > > templates but didn't notice > > > > > > > > anything striking. Maybe there's a flag/preference or something > > > > > > > > that > > > > > > > > needs to be set but I don't see where. > > > > > > > > > > > > > > > > Any ideas ? > > > > > > > > > > > > > > > > Thanks > > > > > > > > Ivan > > > > > > > > > > > > > > > > [1] https://www.qubes-os.org/doc/templates/fedora-minimal/ > > > > > > > > > > > > > > > > > > > > > It sounds odd, it usually should work changing the > > > > > > > template. My initial thought-line on this issue goes > > > > > > > like this, maybe it can be of use. > > > > > > > > > > > > > > Is the iptable firewall package installed in the minimal template? > > > > > > > > > > > > > > I'm thinking it may be iptables that is missing, > > > > > > > since minimal templates can be used for offline > > > > > > > purposes too, then iptables is probably not included > > > > > > > like most other things that has been removed. > > > > > > > > > > > > iptables is installed (that's one of the first thing I > > > > > > checked after I saw > > > > > > the error msg). > > > > > > > > > > > > > > > > > > [...] > > > > > > > > > > > > > - If Qubes tools are installed, networking works > > > > > > > etc, and you got iptables installed already, then my > > > > > > > thoughts are that it's likely missing > > > > > > > system-config-*'s and the unavoidable full array of > > > > > > > dependencies going with it. > > > > > > > > > > > > Hmm, what are those system-config-*s you're talking about ? > > > > > > > > > > > > > > > > > > > - Try clone the template and essentially go berserk > > > > > > > and not holding back, install the entire > > > > > > > system-config- array of packages, see if networking > > > > > > > works. If not, then either something is still > > > > > > > missing, or firewalling has nothing to do with the > > > > > > > system-config packages. > > > > > > > > > > > > > > - If it works, then try narrow down which packages > > > > > > > that are used for firewalling, perhaps you can > > > > > > > reduce the amount of dependency packages being > > > > > > > pulled if you install just the package that firewall > > > > > > > is using. > > > > > > > > > > > > If there aren't hardcoded changes or manual configurations made in > > > > > > the > > > > > > default fedora-26 template then yes, installing the > > > > > > exact same of rpms would > > > > > > in theory fix the problem. But before spending significant time on > > > > > > installing a bunch of rpms and then dissecting I thought > > > > > > I'd ask fellow > > > > > > users first... Maybe the cause is obvious and I'm > > > > > > overlooking something. > > > > > > > > > > > > > > > > I just want to check - you say that the firewall rules are properly > > > > > enforced, and that everything works properly EXCEPT that you get a > > > > > warning. > > > > > > > >
Re: [qubes-users] Re: help with sys-firewall based on minimal f26 template
On Tuesday, February 13, 2018 at 9:29:40 AM UTC+1, Ivan Mitev wrote: > On 02/12/2018 07:12 PM, Ivan Mitev wrote: > > > > > > On 02/12/2018 06:47 PM, Unman wrote: > >> On Mon, Feb 12, 2018 at 06:41:49PM +0200, Ivan Mitev wrote: > >>> > >>> > >>> On 02/12/2018 06:26 PM, Unman wrote: > On Mon, Feb 12, 2018 at 12:03:46PM +0200, Ivan Mitev wrote: > > > > > > On 02/12/2018 11:42 AM, Yuraeitha wrote: > >> On Monday, February 12, 2018 at 8:21:12 AM UTC+1, Ivan Mitev wrote: > >>> Hi, > >>> > >>> In an effort to decrease R4's memory consumption I'm replacing the > >>> default fedora-26 template with a customized one based on the > >>> official > >>> minimal fedora-26 template. > >>> > >>> I installed additional RPMs according to the documentation [1] and > >>> everything seems to be working well, with a noticeable decrease of > >>> memory usage. However I get the following error when opening a VM's > >>> firewall settings gui: > >>> > >>> "The 'work' qube is network connected to 'sys-firewall', which > >>> does not > >>> support firewall! > >>> You may edit the 'work' qube firewall rules, but these will not > >>> take any > >>> effect until you connect it to a working Firewall qube." > >>> > >>> But again, everything seems to work fine: the firewall rules are > >>> properly enforced, there's no problem with net connectivity, the > >>> update > >>> proxy is working, ... > >>> > >>> There's no error message when sys-firewall is based on the default > >>> fedora-26 template so I'm likely missing something but I don't > >>> see what. > >>> I compared the qubes rpms installed in both templates but didn't > >>> notice > >>> anything striking. Maybe there's a flag/preference or something that > >>> needs to be set but I don't see where. > >>> > >>> Any ideas ? > >>> > >>> Thanks > >>> Ivan > >>> > >>> [1] https://www.qubes-os.org/doc/templates/fedora-minimal/ > >> > >> > >> It sounds odd, it usually should work changing the template. My > >> initial thought-line on this issue goes like this, maybe it can be > >> of use. > >> > >> Is the iptable firewall package installed in the minimal template? > >> > >> I'm thinking it may be iptables that is missing, since minimal > >> templates can be used for offline purposes too, then iptables is > >> probably not included like most other things that has been removed. > > > > iptables is installed (that's one of the first thing I checked > > after I saw > > the error msg). > > > > > > [...] > > > >> - If Qubes tools are installed, networking works etc, and you got > >> iptables installed already, then my thoughts are that it's likely > >> missing system-config-*'s and the unavoidable full array of > >> dependencies going with it. > > > > Hmm, what are those system-config-*s you're talking about ? > > > > > >> - Try clone the template and essentially go berserk and not > >> holding back, install the entire system-config- array of packages, > >> see if networking works. If not, then either something is still > >> missing, or firewalling has nothing to do with the system-config > >> packages. > >> > >> - If it works, then try narrow down which packages that are used > >> for firewalling, perhaps you can reduce the amount of dependency > >> packages being pulled if you install just the package that > >> firewall is using. > > > > If there aren't hardcoded changes or manual configurations made in the > > default fedora-26 template then yes, installing the exact same of > > rpms would > > in theory fix the problem. But before spending significant time on > > installing a bunch of rpms and then dissecting I thought I'd ask > > fellow > > users first... Maybe the cause is obvious and I'm overlooking > > something. > > > > I just want to check - you say that the firewall rules are properly > enforced, and that everything works properly EXCEPT that you get a > warning. > >>> > >>> Exactly. > >>> > >>> BTW qvm-firewall works and doesn't output any error message... > >>> > >> > >> Yes, thought so - it's probably a bug in the gui code that checks > >> connected netvm status. Does it happen with every connected qube? > > > > Yes, it happens to all the vms connected to sys-firewall. > > > > I just reverted sys-firewall's template to the default f26 and there was > > no more error message, so it doesn't look like a bug in the gui, > > something is likely missing in my customized template. Just have to find > > what :) > > figured it out quickly this morning: in qubes-manager/settings.py the > error message is displayed when the template doesn't have the > 'qubes-firewall' feature. > > fix:
Re: [qubes-users] Re: help with sys-firewall based on minimal f26 template
On 02/12/2018 07:12 PM, Ivan Mitev wrote: On 02/12/2018 06:47 PM, Unman wrote: On Mon, Feb 12, 2018 at 06:41:49PM +0200, Ivan Mitev wrote: On 02/12/2018 06:26 PM, Unman wrote: On Mon, Feb 12, 2018 at 12:03:46PM +0200, Ivan Mitev wrote: On 02/12/2018 11:42 AM, Yuraeitha wrote: On Monday, February 12, 2018 at 8:21:12 AM UTC+1, Ivan Mitev wrote: Hi, In an effort to decrease R4's memory consumption I'm replacing the default fedora-26 template with a customized one based on the official minimal fedora-26 template. I installed additional RPMs according to the documentation [1] and everything seems to be working well, with a noticeable decrease of memory usage. However I get the following error when opening a VM's firewall settings gui: "The 'work' qube is network connected to 'sys-firewall', which does not support firewall! You may edit the 'work' qube firewall rules, but these will not take any effect until you connect it to a working Firewall qube." But again, everything seems to work fine: the firewall rules are properly enforced, there's no problem with net connectivity, the update proxy is working, ... There's no error message when sys-firewall is based on the default fedora-26 template so I'm likely missing something but I don't see what. I compared the qubes rpms installed in both templates but didn't notice anything striking. Maybe there's a flag/preference or something that needs to be set but I don't see where. Any ideas ? Thanks Ivan [1] https://www.qubes-os.org/doc/templates/fedora-minimal/ It sounds odd, it usually should work changing the template. My initial thought-line on this issue goes like this, maybe it can be of use. Is the iptable firewall package installed in the minimal template? I'm thinking it may be iptables that is missing, since minimal templates can be used for offline purposes too, then iptables is probably not included like most other things that has been removed. iptables is installed (that's one of the first thing I checked after I saw the error msg). [...] - If Qubes tools are installed, networking works etc, and you got iptables installed already, then my thoughts are that it's likely missing system-config-*'s and the unavoidable full array of dependencies going with it. Hmm, what are those system-config-*s you're talking about ? - Try clone the template and essentially go berserk and not holding back, install the entire system-config- array of packages, see if networking works. If not, then either something is still missing, or firewalling has nothing to do with the system-config packages. - If it works, then try narrow down which packages that are used for firewalling, perhaps you can reduce the amount of dependency packages being pulled if you install just the package that firewall is using. If there aren't hardcoded changes or manual configurations made in the default fedora-26 template then yes, installing the exact same of rpms would in theory fix the problem. But before spending significant time on installing a bunch of rpms and then dissecting I thought I'd ask fellow users first... Maybe the cause is obvious and I'm overlooking something. I just want to check - you say that the firewall rules are properly enforced, and that everything works properly EXCEPT that you get a warning. Exactly. BTW qvm-firewall works and doesn't output any error message... Yes, thought so - it's probably a bug in the gui code that checks connected netvm status. Does it happen with every connected qube? Yes, it happens to all the vms connected to sys-firewall. I just reverted sys-firewall's template to the default f26 and there was no more error message, so it doesn't look like a bug in the gui, something is likely missing in my customized template. Just have to find what :) figured it out quickly this morning: in qubes-manager/settings.py the error message is displayed when the template doesn't have the 'qubes-firewall' feature. fix: qvm-features fedora-26-minimal qubes-firewall 1 out of curiosity I tried to find where/when this feature is set for the default fedora-26 template: there's a comment in qubes/ext/core_features.py that says '[this feature] can be freely enabled or disabled by template' but I don't understand what it's supposed to mean - whether the template automatically sets it somehow (but then how ?) or if it can be set for each template. It's probably the latter; in that case maybe the feature is set by the template's rpm postscripts (but then I couldn't find any mention of "qvm-features" in the qubes-builder-fedora repo). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit
Re: [qubes-users] Re: help with sys-firewall based on minimal f26 template
On Mon, Feb 12, 2018 at 06:41:49PM +0200, Ivan Mitev wrote: > > > On 02/12/2018 06:26 PM, Unman wrote: > > On Mon, Feb 12, 2018 at 12:03:46PM +0200, Ivan Mitev wrote: > > > > > > > > > On 02/12/2018 11:42 AM, Yuraeitha wrote: > > > > On Monday, February 12, 2018 at 8:21:12 AM UTC+1, Ivan Mitev wrote: > > > > > Hi, > > > > > > > > > > In an effort to decrease R4's memory consumption I'm replacing the > > > > > default fedora-26 template with a customized one based on the official > > > > > minimal fedora-26 template. > > > > > > > > > > I installed additional RPMs according to the documentation [1] and > > > > > everything seems to be working well, with a noticeable decrease of > > > > > memory usage. However I get the following error when opening a VM's > > > > > firewall settings gui: > > > > > > > > > > "The 'work' qube is network connected to 'sys-firewall', which does > > > > > not > > > > > support firewall! > > > > > You may edit the 'work' qube firewall rules, but these will not take > > > > > any > > > > > effect until you connect it to a working Firewall qube." > > > > > > > > > > But again, everything seems to work fine: the firewall rules are > > > > > properly enforced, there's no problem with net connectivity, the > > > > > update > > > > > proxy is working, ... > > > > > > > > > > There's no error message when sys-firewall is based on the default > > > > > fedora-26 template so I'm likely missing something but I don't see > > > > > what. > > > > > I compared the qubes rpms installed in both templates but didn't > > > > > notice > > > > > anything striking. Maybe there's a flag/preference or something that > > > > > needs to be set but I don't see where. > > > > > > > > > > Any ideas ? > > > > > > > > > > Thanks > > > > > Ivan > > > > > > > > > > [1] https://www.qubes-os.org/doc/templates/fedora-minimal/ > > > > > > > > > > > > It sounds odd, it usually should work changing the template. My initial > > > > thought-line on this issue goes like this, maybe it can be of use. > > > > > > > > Is the iptable firewall package installed in the minimal template? > > > > > > > > I'm thinking it may be iptables that is missing, since minimal > > > > templates can be used for offline purposes too, then iptables is > > > > probably not included like most other things that has been removed. > > > > > > iptables is installed (that's one of the first thing I checked after I saw > > > the error msg). > > > > > > > > > [...] > > > > > > > - If Qubes tools are installed, networking works etc, and you got > > > > iptables installed already, then my thoughts are that it's likely > > > > missing system-config-*'s and the unavoidable full array of > > > > dependencies going with it. > > > > > > Hmm, what are those system-config-*s you're talking about ? > > > > > > > > > > - Try clone the template and essentially go berserk and not holding > > > > back, install the entire system-config- array of packages, see if > > > > networking works. If not, then either something is still missing, or > > > > firewalling has nothing to do with the system-config packages. > > > > > > > > - If it works, then try narrow down which packages that are used for > > > > firewalling, perhaps you can reduce the amount of dependency packages > > > > being pulled if you install just the package that firewall is using. > > > > > > If there aren't hardcoded changes or manual configurations made in the > > > default fedora-26 template then yes, installing the exact same of rpms > > > would > > > in theory fix the problem. But before spending significant time on > > > installing a bunch of rpms and then dissecting I thought I'd ask fellow > > > users first... Maybe the cause is obvious and I'm overlooking something. > > > > > > > I just want to check - you say that the firewall rules are properly > > enforced, and that everything works properly EXCEPT that you get a > > warning. > > Exactly. > > BTW qvm-firewall works and doesn't output any error message... > Yes, thought so - it's probably a bug in the gui code that checks connected netvm status. Does it happen with every connected qube? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180212164725.uk7aun2ou7ofxqzh%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: help with sys-firewall based on minimal f26 template
On 02/12/2018 06:26 PM, Unman wrote: On Mon, Feb 12, 2018 at 12:03:46PM +0200, Ivan Mitev wrote: On 02/12/2018 11:42 AM, Yuraeitha wrote: On Monday, February 12, 2018 at 8:21:12 AM UTC+1, Ivan Mitev wrote: Hi, In an effort to decrease R4's memory consumption I'm replacing the default fedora-26 template with a customized one based on the official minimal fedora-26 template. I installed additional RPMs according to the documentation [1] and everything seems to be working well, with a noticeable decrease of memory usage. However I get the following error when opening a VM's firewall settings gui: "The 'work' qube is network connected to 'sys-firewall', which does not support firewall! You may edit the 'work' qube firewall rules, but these will not take any effect until you connect it to a working Firewall qube." But again, everything seems to work fine: the firewall rules are properly enforced, there's no problem with net connectivity, the update proxy is working, ... There's no error message when sys-firewall is based on the default fedora-26 template so I'm likely missing something but I don't see what. I compared the qubes rpms installed in both templates but didn't notice anything striking. Maybe there's a flag/preference or something that needs to be set but I don't see where. Any ideas ? Thanks Ivan [1] https://www.qubes-os.org/doc/templates/fedora-minimal/ It sounds odd, it usually should work changing the template. My initial thought-line on this issue goes like this, maybe it can be of use. Is the iptable firewall package installed in the minimal template? I'm thinking it may be iptables that is missing, since minimal templates can be used for offline purposes too, then iptables is probably not included like most other things that has been removed. iptables is installed (that's one of the first thing I checked after I saw the error msg). [...] - If Qubes tools are installed, networking works etc, and you got iptables installed already, then my thoughts are that it's likely missing system-config-*'s and the unavoidable full array of dependencies going with it. Hmm, what are those system-config-*s you're talking about ? - Try clone the template and essentially go berserk and not holding back, install the entire system-config- array of packages, see if networking works. If not, then either something is still missing, or firewalling has nothing to do with the system-config packages. - If it works, then try narrow down which packages that are used for firewalling, perhaps you can reduce the amount of dependency packages being pulled if you install just the package that firewall is using. If there aren't hardcoded changes or manual configurations made in the default fedora-26 template then yes, installing the exact same of rpms would in theory fix the problem. But before spending significant time on installing a bunch of rpms and then dissecting I thought I'd ask fellow users first... Maybe the cause is obvious and I'm overlooking something. I just want to check - you say that the firewall rules are properly enforced, and that everything works properly EXCEPT that you get a warning. Exactly. BTW qvm-firewall works and doesn't output any error message... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a130fda9-7073-3a4b-1422-9b40535dd085%40maa.bz. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: help with sys-firewall based on minimal f26 template
On Mon, Feb 12, 2018 at 12:03:46PM +0200, Ivan Mitev wrote: > > > On 02/12/2018 11:42 AM, Yuraeitha wrote: > > On Monday, February 12, 2018 at 8:21:12 AM UTC+1, Ivan Mitev wrote: > > > Hi, > > > > > > In an effort to decrease R4's memory consumption I'm replacing the > > > default fedora-26 template with a customized one based on the official > > > minimal fedora-26 template. > > > > > > I installed additional RPMs according to the documentation [1] and > > > everything seems to be working well, with a noticeable decrease of > > > memory usage. However I get the following error when opening a VM's > > > firewall settings gui: > > > > > > "The 'work' qube is network connected to 'sys-firewall', which does not > > > support firewall! > > > You may edit the 'work' qube firewall rules, but these will not take any > > > effect until you connect it to a working Firewall qube." > > > > > > But again, everything seems to work fine: the firewall rules are > > > properly enforced, there's no problem with net connectivity, the update > > > proxy is working, ... > > > > > > There's no error message when sys-firewall is based on the default > > > fedora-26 template so I'm likely missing something but I don't see what. > > > I compared the qubes rpms installed in both templates but didn't notice > > > anything striking. Maybe there's a flag/preference or something that > > > needs to be set but I don't see where. > > > > > > Any ideas ? > > > > > > Thanks > > > Ivan > > > > > > [1] https://www.qubes-os.org/doc/templates/fedora-minimal/ > > > > > > It sounds odd, it usually should work changing the template. My initial > > thought-line on this issue goes like this, maybe it can be of use. > > > > Is the iptable firewall package installed in the minimal template? > > > > I'm thinking it may be iptables that is missing, since minimal templates > > can be used for offline purposes too, then iptables is probably not > > included like most other things that has been removed. > > iptables is installed (that's one of the first thing I checked after I saw > the error msg). > > > [...] > > > - If Qubes tools are installed, networking works etc, and you got iptables > > installed already, then my thoughts are that it's likely missing > > system-config-*'s and the unavoidable full array of dependencies going with > > it. > > Hmm, what are those system-config-*s you're talking about ? > > > > - Try clone the template and essentially go berserk and not holding back, > > install the entire system-config- array of packages, see if networking > > works. If not, then either something is still missing, or firewalling has > > nothing to do with the system-config packages. > > > > - If it works, then try narrow down which packages that are used for > > firewalling, perhaps you can reduce the amount of dependency packages being > > pulled if you install just the package that firewall is using. > > If there aren't hardcoded changes or manual configurations made in the > default fedora-26 template then yes, installing the exact same of rpms would > in theory fix the problem. But before spending significant time on > installing a bunch of rpms and then dissecting I thought I'd ask fellow > users first... Maybe the cause is obvious and I'm overlooking something. > I just want to check - you say that the firewall rules are properly enforced, and that everything works properly EXCEPT that you get a warning. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180212162645.5fnfw2oc7u6pskn4%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: help with sys-firewall based on minimal f26 template
On 02/12/2018 11:42 AM, Yuraeitha wrote: On Monday, February 12, 2018 at 8:21:12 AM UTC+1, Ivan Mitev wrote: Hi, In an effort to decrease R4's memory consumption I'm replacing the default fedora-26 template with a customized one based on the official minimal fedora-26 template. I installed additional RPMs according to the documentation [1] and everything seems to be working well, with a noticeable decrease of memory usage. However I get the following error when opening a VM's firewall settings gui: "The 'work' qube is network connected to 'sys-firewall', which does not support firewall! You may edit the 'work' qube firewall rules, but these will not take any effect until you connect it to a working Firewall qube." But again, everything seems to work fine: the firewall rules are properly enforced, there's no problem with net connectivity, the update proxy is working, ... There's no error message when sys-firewall is based on the default fedora-26 template so I'm likely missing something but I don't see what. I compared the qubes rpms installed in both templates but didn't notice anything striking. Maybe there's a flag/preference or something that needs to be set but I don't see where. Any ideas ? Thanks Ivan [1] https://www.qubes-os.org/doc/templates/fedora-minimal/ It sounds odd, it usually should work changing the template. My initial thought-line on this issue goes like this, maybe it can be of use. Is the iptable firewall package installed in the minimal template? I'm thinking it may be iptables that is missing, since minimal templates can be used for offline purposes too, then iptables is probably not included like most other things that has been removed. iptables is installed (that's one of the first thing I checked after I saw the error msg). [...] - If Qubes tools are installed, networking works etc, and you got iptables installed already, then my thoughts are that it's likely missing system-config-*'s and the unavoidable full array of dependencies going with it. Hmm, what are those system-config-*s you're talking about ? - Try clone the template and essentially go berserk and not holding back, install the entire system-config- array of packages, see if networking works. If not, then either something is still missing, or firewalling has nothing to do with the system-config packages. - If it works, then try narrow down which packages that are used for firewalling, perhaps you can reduce the amount of dependency packages being pulled if you install just the package that firewall is using. If there aren't hardcoded changes or manual configurations made in the default fedora-26 template then yes, installing the exact same of rpms would in theory fix the problem. But before spending significant time on installing a bunch of rpms and then dissecting I thought I'd ask fellow users first... Maybe the cause is obvious and I'm overlooking something. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b159b73c-61a8-ec27-1bcb-832af323a017%40maa.bz. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: help with sys-firewall based on minimal f26 template
On Monday, February 12, 2018 at 8:21:12 AM UTC+1, Ivan Mitev wrote: > Hi, > > In an effort to decrease R4's memory consumption I'm replacing the > default fedora-26 template with a customized one based on the official > minimal fedora-26 template. > > I installed additional RPMs according to the documentation [1] and > everything seems to be working well, with a noticeable decrease of > memory usage. However I get the following error when opening a VM's > firewall settings gui: > > "The 'work' qube is network connected to 'sys-firewall', which does not > support firewall! > You may edit the 'work' qube firewall rules, but these will not take any > effect until you connect it to a working Firewall qube." > > But again, everything seems to work fine: the firewall rules are > properly enforced, there's no problem with net connectivity, the update > proxy is working, ... > > There's no error message when sys-firewall is based on the default > fedora-26 template so I'm likely missing something but I don't see what. > I compared the qubes rpms installed in both templates but didn't notice > anything striking. Maybe there's a flag/preference or something that > needs to be set but I don't see where. > > Any ideas ? > > Thanks > Ivan > > [1] https://www.qubes-os.org/doc/templates/fedora-minimal/ It sounds odd, it usually should work changing the template. My initial thought-line on this issue goes like this, maybe it can be of use. Is the iptable firewall package installed in the minimal template? I'm thinking it may be iptables that is missing, since minimal templates can be used for offline purposes too, then iptables is probably not included like most other things that has been removed. If iptable is not enough, then my thoughts go like this instead; - It seems very likely to me that it is a missing package and not a missing configuration. Usually swapping templates just works as long the right packages are installed, and no configuration required. So it "seems" that it is pre-configured out-of-the-box in the installed packages, for whichever package that is missing. - If may be that Qubes don't provide firewall functionality if the existing packages work anyway. Why fix something that ain't broke? So there is a possibility you don't need the Qubes packages to fix this. If all the relevant Qubes agent's are installed, then it's probably not this causing the issue. - If Qubes tools are installed, networking works etc, and you got iptables installed already, then my thoughts are that it's likely missing system-config-*'s and the unavoidable full array of dependencies going with it. - Try clone the template and essentially go berserk and not holding back, install the entire system-config- array of packages, see if networking works. If not, then either something is still missing, or firewalling has nothing to do with the system-config packages. - If it works, then try narrow down which packages that are used for firewalling, perhaps you can reduce the amount of dependency packages being pulled if you install just the package that firewall is using. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3023e236-fbe2-41dd-aa4e-abe11c4b966a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
