Re: [qubes-users] Re: HELP: TemplateVM's have lost internet access

[SEC Tester]

Thank you for the reply Unman.

You might be right about them never having internet access. Because dnf & yum 
works, i think i assumed the internet work.

The reason i actually found this issues, was because i was ping testing, trying 
to solve a problem i was having setting up a VPN ProxyVM.

(See this thread i just posted)
https://groups.google.com/forum/#!topic/qubes-users/T0wbCuIgISg


When i found the templates couldnt ping the internet, it sent me down this path 
trying to trouble shoot.

I can still dnf yum etc now even while on sys-firewall. So we can consider this 
"issue" solved.

Thank you Unman & Drew.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c56c6ad4-87d4-4bdf-9590-a2ddcb6dd00d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: HELP: TemplateVM's have lost internet access

[Unman]

On Wed, Nov 09, 2016 at 03:00:13AM -0800, SEC Tester wrote:
> Hey Drew, Cheers for the reply.
> 
> It wasn't possible to 100% follow your instructions;
> 
> In "Global settings" it doesn't seem possible to set the default "netVM" to 
> "none". It only lists choices of netVM or ProxyVMs. I left it set to 
> "sys-firewall".
> 
> I followed the rest of your instructions. Deleted the sys-net VM, created a 
> new one.
> 
> re-assigned the network adapter with qvm-pci -a  
> 
> when setting sys-net as default netVM, the templates can ping the Internet. 
> BUT shouldnt i keep everything proxied through sys-firewall?
> 
> Or is there some reason the templates cant go through the sys-firewall? and 
> must go through sys-net?
> 
> It seems more clear at this point the sys-firewall is responsible for 
> stopping the templates internet. But i dont know why?
> 
> I could set the template netVM to sys-net, but would prefer to solve this if 
> possible?
> 
> Look forward to your reply.
> 

I think that you should look at the docs - in particular this page:
https://www.qubes-os.org/doc/software-update-vm/
and check the sections on "allowing networking for software update" and
"Updates proxy".

By default templates are prohibited from accessing the internet except
via the update proxy. This is a security measure.
If a template is compromised then all qubes based on it will be
compromised. The default setup is a small step toward providing some
protection. It restricts access from a template to the update proxy
service running on the upstream proxyVM, in your case sys-firewall.

Drew's advice addresses another issue - not yours.

I don't believe that the templates would ever have had internet access.

You say that you  need internet access to install software: you can
either temporarily allow access as detailed on the above page - not
advisable because of a bug that doesn't then reset the firewall rules, so
"temporarily" is a complete misnomer - OR access the software source in a
qube and then copy it across to the template.

Perhaps I've misunderstood your problem. If so, apologies.

unman




-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161109113650.GA27762%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.