Re: [qubes-users] vif in user ProxyVM?
> On 08/22/2016 10:47 AM, johnyju...@sigaint.org wrote: >> I'm trying to create a ProxyVM of my own, to replace sys-firewall. >> >> I'm on 3.2rc2-testing. >> >> When I create a ProxyVM in either fedora23 or debian-8, eth0 shows up, >> but >> no vif interface appears. >> > > vif interfaces appear when you connect downstream vms to the proxyvm. Well, how about that! Right you are, there it is... Thanks. :) JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0a89b85336364ee982c4483064a30776.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] /rw/config/rc.local on debian-8
> On 2016-08-22 07:52, johnyju...@sigaint.org wrote: >> /rw/config/rc.local doesn't seem to be run on startup in debian-8 >> (3.2-testing). >> >> What is supposed to launch this? systemd, another startup script, or >> something dom0-related? >> >> I added "/rw/config/rc.local" to "/etc/rc.local" and it works, but was >> wondering what might be the official way to do this, and if this is a >> bug. >> >> Thanks. >> >> JJ >> > > Did you make it executable? > > # chmod +x /rw/config/rc.local Yes, I did. And it seems to be working. I must have been confused at some point with too many windows open in different VM's. :) Apologies for the mistaken report. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cc28d56b8823423ab20448878bedd5dd.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 17:43:35 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On the contrary, we care greatly about translating the documentation into > other languages. We're working with Transifex right now to have the > documentation translated: > > https://github.com/QubesOS/qubes-issues/issues/1452 > Ok my bad, I didn't knew about this projet. Then it is fine, it would help a lot people not used to read english. > > We welcome your participation! Michael (CCed) is the main contact with > Transifex. He may have a better idea about how members of the Qubes community > like yourself can get involved. > Ok thank you, he can contact me on this email if you want me to help to traduce some pages, no problem. I don't type very fast and I'm not that young, but if you lack people to help traduce in their native langage, I can help. > > I didn't mean to suggest that it's immune to criticism. On the contrary, > constructive criticism is always welcome. > Sure, I was just a bit on nerves yesterday, sorry about that. > > However, you said, "I don't get why documentation don't address..." I was > simply explaining why. The documentation is lacking such things because no one > has contributed them. > > I think it's fair to beseech documentation contributors to consider these > things. But, in the end, it's up to them what knowledge (if any) they will > contribute. > Good point, I have thought about your answer yesterday more rested and just begun a course today about TCP/IP networks, OSI model in 7 layers to understand better how routing works, how packets travel from layer 7 to your own switch / bridge ! This is quite interesting, but my attention scattered to another one on how to convert decimals numbers into hexadecimals or binary numbers ^^ > I don't know if it's going to be useful, but yes, it was interesting to realize an IPv4 adress is coded on 32 bits, which is 4 octets, and that 1 octet reach 255 maximum in decimal form because it is coded on 8 bits, which is 2^8=256, and as you start from 0, you get this number. And that we're going to switch to IPv6 because you have only 2^32 numbers available (4,2 billions) and we are already 7,3 billions here on Earth ! That's also why I want to host my website on my own cpu bc you need energy to make a server work, Earth is dying, who cares my beginner site being unavailable 8-12 hours a day, as long as I warn folk when it opens lol. You can also think about Qubes in an ecological point of view as it centralizes different OS and allows you to avoid having more computers to preserve data : you save energy. > Those numbers make you wonder how unreal in less than 50 years we went from 1 bit (0-1), to this very simple potential electric difference coding 2 values, to a world wide web page full of data ^^ I guess we invented aliens to communicate with we didn't found (yet) so far :D Because if you think about one typo here, like my little D surrounded by 2 symbols (lol), if you think about all characters options available in all languages over the whole world for those 2 symbols, I wouldn't be surprise this beast gets so huge that it can't hold in 1 octet/1byte/256 options haha (btw in french you add e to "bit", you get a D :D). I hope you enjoy my delicate poetry on digits man lol ~ > P.S. : If quoting you fails again, please excuse me, I don't get how to do it properly inside your message :( > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJXux2fAAoJENtN07w5UDAw4wUP/j0uDCgbx80Cm714mi6vDB/Z > 8NBXlMLV6hzA8HtVW3Z2Rfo7pY/Fe8uQLskJ+h8SluWDw2srUHXSsv2ETIBsUzC9 > 0m9HaSLJU+UxO7Vc8VFi2FTiUlFKxhBnhFYWGwSqir0QI+OZP6Mx1id/MgtvGkYk > TDWtljt7hvgjR6hnX1GqU6u0Bg3O1KZHSNhcC98RQZjy9LWOgIkAPKWpK98FheYi > N5QMRTJwfrUEFIEumCf6xzG3jiolJlmGEPkKDfk9+GaKxd0koHbENMWqfvlz2Zbo > pq9gBzkW44K88pcWpS4CLkvonMDdXienRWzy7ut5kQsEfNuw4MVGMkqy9YUGkhlJ > 9mbZx8AB1yPs0LRdQpCk9noh4g4QWr9XREHQC2+FgazYQD1P4rcZDXt8r0JJdH2W > E5GJbqWWwQj+Rn0VbI4TbuXZJlw8gOeiUXRSKu821EhXu37dtiNI+XKszx8iPfXA > 9EbAd9O4hulVq3866eWX86Sc/MKnNE/Frw0M8ObHvvXnweI2VwUNMeZCJ2VKO5KG > vWQkTi83YAkHqvk8YOFCV7+oOQAyGymHZzjCUWvOWvDjBX/wtSgcmEt3rMq8MklX > G3ZFzGdkC2h2VeEqwojhMNZ1UWHNvwv+KV6ySJf5p3ZrGqZKO6olIlbZZNnT2HDe > OW2eq0Sr3P3Qtdn9iXao > =6qZC > -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0b4dfff0-4c9a-42ac-9356-8fedd7bd4306%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] QUBES Windows Tools won't install
I installed w7x64 in a HVM today, and while the tools installation took about 1 hour of the installer seemingly not doing anything, and a few of the reboots "failing", it seems to be working fine now, including network access. (R3.2rc2.) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/50db401f-084a-473b-b693-df83f5dc3008%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to record screen activity on qubes?
I was about to ask this in the list. Tried recordmydesktop on an AppVM and it blacked out the whole screen. -- iuri.neocities.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAF0bz4Q5C7MPoWkcwS9wksJER3aP7UhR5uO_CAnEun4%3Dv-j4AA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Fedora 23 template not updating - with a blank screen
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-22 09:02, 48kc5j+2yh9dxa25wb0o via qubes-users wrote: >> Probably just a temporary thing. I was able to update everything a short >> while ago with no issues. > > Unfortunately it doesn't seem to be temporarily, the updade for the > fedora23 template is still hanging. I honest don't think this is normal or > due to some problems with the yum repos. Any idea what I can do to solve > this huge latency? > Are you downloading updates over Tor (sys-whonix) or clearnet? Persistent slow/hanging downloads over Tor could be due to a bad entry guard(s). > >> That doesn't look like normal output from qubes-dom0-update. There >> should be no message about sending application list and icons to dom0, >> since that occurs in TemplateVMs, not dom0. (It would make no sense for >> dom0 to "send" something to itself.) On the other hand, that message is a >> normal part of a TemplateVM upgrade. > > Apparently that was caused since I run the upgrade of dom0 while I was > upgrading the fedora23 template at the same time. Dunno if this is the > cause, but could possibly affect it. If this isn't the normal behavior, how > can this be corrected then? > That would explain it. If you were running with --pass-io, then there would be text from both. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXuy/dAAoJENtN07w5UDAwcZUP/RC0AjhE8FhbGewNEVeHfir9 UDWuykf/EnHY9Wh0bFYfTsh8ho/5Lm5UohI+uz22kZNwYOVwTFzI/WGaWwT4+pYu cgbqSPhcWqL3p8WxucFhCmiGhAu9PLTNKngqYPnjrjUR2wlnyJaw1w7dhn55Q4IT Mne/6OYBHPitAXd1DsbPUcmuV3gGF8+L5ELPYY+uJvvJG/w2Po6Pz3V5OIcJhNe5 hU24UFMC8Fo6+rs41rEICzcGwTDnhN8HhGBIvqxAIWjvC7HJIWHwcqtbMc4EO9gG OHtIJ+2+M6HuPpfz4heo+lyl158Bjf9j+A3e13jqI9KIMFL7n7vldNwNDbwgRXLc dnMIGt/hnnotnwTraISuduq5VRU8yCHbOpEE6ChTkybI12eP2Nj7/g0XApYuD/ZN p35v5zauUyjvSKE00jcPR6Squ4eVn9+rQ0Ulgbo6jBok3CAlPXefv0QDm5nOO47s r7ucvihnJ4mwHJEPHvnQIJQjAghe1bXl9kIwtjnHn0//2o2Ql8GMX1yE112qZpdQ 6qyng37Bv+vArdfk9mFHwCPmCoJ91rnv5NTvk1qnyWD0/TP0cA//hR/PrMI1wIwm z52HcAAfnT/A8npn5AdgTeIJAg+R8Bor6PumNIPsU7GPo81mqyaUn0Olh24+pqQS Z8gY2AuQYgxlFe4AKZwi =WB/Q -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/226f881d-229d-ffc8-5ee4-b91259f70683%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] vif in user ProxyVM?
On 08/22/2016 10:47 AM, johnyju...@sigaint.org wrote: I'm trying to create a ProxyVM of my own, to replace sys-firewall. I'm on 3.2rc2-testing. When I create a ProxyVM in either fedora23 or debian-8, eth0 shows up, but no vif interface appears. vif interfaces appear when you connect downstream vms to the proxyvm. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aa8fa248-385b-ee7f-098c-70a3d2163a21%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Screen corruption on nvidia
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-22 08:19, johnyju...@sigaint.org wrote: >> Added testing repos to (clones of) debian-23 and debian-8 templates (as >> well as whonix-gw/whonix-ws), did upgrades/dist-updates, restarted, >> loaded up a bunch of AppVM's, and have been pounding on things awhile. >> >> No sign of screen garbage yet! :) >> >> Looks promising. > > Day 3 of banging on r3.2-testing, and zero sign of any screen corruption. > > I think it's safe to mark this one as fixed. > > JJ > > Thanks for testing and letting us know! :) - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXux/gAAoJENtN07w5UDAwzX0P/1imJfQfBAPIbzo/padV2GqD mgojWck235Hp7ojArkT8YO1c6FsLsbdgUfTYH2GbUcOTpYnpg5LC4MK/KtB3NNUh r8VRS9AvjAO8jaFu9j/C3+14+PXG96/YvTzviiT9dSx24QuXW8QTWutz9WANQnqZ p0HhcBAf2Pfpv4H99Qu4i89p53YM8lgHcyYwhYiV7EuZu1aehRLvz5g7i9/IJ3Wi EwvGpMsFBD8r317R/xzbrzhJXfdTt676pb7mQZDIHQUA9zSD2HjuBjo0dWa0vYd0 BsWUmOHnU70et4D3JJ7QSXEky0j5bhUipXL8F93paLes0M1wOJXr/UUIDPIX0K7M j5l0JTLkF/5ygnm0Bym8fqLKnarlkrpE4zSgZB4RzQ4NqpWvQ4et0deZy8TuW3Eu cqs3yNFun+U5wvC72QF5oc+taEh9+cDz1zNvgcL+TzfeSQX/wdjjI8an26DDPKXC wS4a/cVYyzMgD3zXdDkBifl/IJtoIZ+T5zY+vus0NiCnKtLVXfeBrkH4gtIuN3jU M4UPsHIXI6g47CYIrhSneAZJNS4bJNBBARqjl2cr6in7sSgT/aaH0sPh/9HBHoeN aanh3oeoXke1xK+3c8rVcr4sMo3lMJQ4P2MTiGyQ/fxvF1plW2ZH2DymdfAcW/Kq 7q8Ryxs4QzxEeeAVdN24 =xHjg -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e3b20335-d54b-a123-319f-d515961a83cc%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Fedora 23 template not updating - with a blank screen
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-22 05:53, 48juya+35xih7kuzgagg via qubes-users wrote: > It seems that the updates on dom0 are also affected: > > sudo qubes-dom0-update Using sys-firewall as UpdateVM to download updates > for Dom0; this may take some time... Running command on VM: > 'sys-firewall'... Checking for dom0 updates... Last metadata expiration > check: 1 day, 16:07:48 ago on Sat Aug 20 22:40:37 2016. Dependencies > resolved. Nothing to do. Sending application list and icons to dom0 > Complete! That doesn't look like normal output from qubes-dom0-update. There should be no message about sending application list and icons to dom0, since that occurs in TemplateVMs, not dom0. (It would make no sense for dom0 to "send" something to itself.) On the other hand, that message is a normal part of a TemplateVM upgrade. > Yum command has been deprecated, redirecting to '/usr/bin/dnf > check-update'. See 'man dnf' and 'man yum2dnf' for more information. To > transfer transaction metadata from yum to DNF, run: 'dnf install > python-dnf-plugins-extras-migrate && dnf-2 migrate' > > Qubes OS Repository for Dom0 > 68 MB/s | 151 kB 00:00 Yum command has been deprecated, redirecting to > '/usr/bin/dnf -q check-update'. See 'man dnf' and 'man yum2dnf' for more > information. To transfer transaction metadata from yum to DNF, run: 'dnf > install python-dnf-plugins-extras-migrate && dnf-2 migrate' > A message stating that dnf would complain about yum being deprecated -- and that this would be safe to ignore -- should also have been printed in the dom0 terminal in which you issued qubes-dom0-update. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXux7jAAoJENtN07w5UDAwM7EP/1phXy5qRJzhFv74Wo51HvWE O/FOut8E0kcnGmbXR0PiYdLeBByUR/Rj5YXQoI6N5Eyo3vubPsc3lp2SQnuBzdL8 jFy09xwGwZzWgVGO671MF1OMJHiX2ESvjga0hZJsDeVJdDTty+rnaxL0Ps8yQt16 EpiAATNr7xaOdrRcax6jzUrkpJrY+c7CYEmalDsGG+DaqEFJRBT0OudM0GHUsd6o qAZ3AWunA2ufweyoUdm+MoF0ydcacVHQ+QTx/Wk/KNPAez+3sfNbV0ZvRJFaHQS2 weSpxvJKfNYmlC9S6P7amAA4L8wKDUR2cNOR7qwtRXjtYzPKGaMgAIG2XzUrvn37 GvBtsjQ5d2RCJvmHdDs5kEyJKd+EiBEC8K0NxEl0nYSgwr9zMAdZzHnNMIFWVAqk e+1OjRF8U3VWZmngJr6oGWKa7AO8IOyPbsYOmTJdrJ4OE/fXTRhnaAibLMMsIyeo Z2pQSO2koNrH7h4T9iIJZA46rZ/c0twQkP1RWk77yellncl+8SKXc764KVQFG8Rd IflnZRnz8R5s+b91ksYibFZTsjC6ZOStZq1b0TQuIY/ajAnqZyvgJ5gWnrFIibQz gcZWZVe8vyi0QAy1owMtJ2pbbeMkYYq4+9TJ9krMj3H7lG/fBeX+WOnTBlyidctE 604xIMgkN5ZDNfHx+pRO =nJDt -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f205f3cd-f882-835d-3f38-c3d5fa36aa8f%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Fedora 23 template not updating - with a blank screen
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-22 05:25, Jeremy Rand wrote: > 48juya+35xih7kuzgagg via qubes-users: >> It seems that doing a 'dnf update --refresh' it provides some output but >> updating the repositories is taking forever: >> >> [root@fedora-23 ~]# dnf update --refresh RPM Fusion for Fedora 23 - >> Nonfree >> 1.1 MB/s | 156 kB 00:00 RPM Fusion for Fedora 23 - Free >> 3.8 kB/s | 457 kB 02:00 Qubes OS Repository for VM (updates) >> 1.0 MB/s | 286 kB 00:00 Fedora 23 - x86_64 - Updates >> 199 kB/s | 24 MB 02:03 >> >> >> Its hanging for more than 15m now, any ideas how to solve this? > > Coincdentally, this occurred to me about 20 minutes ago. Restarting the > fedora-23 TemplateVM and trying to update again fixed it for me. Might > have been a server issue on Fedora's end. > > -Jeremy Rand > Probably just a temporary thing. I was able to update everything a short while ago with no issues. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXux4jAAoJENtN07w5UDAwK3UQAKts/voKw2CTc9i+PHI8V2Ie /reVt8GcK08O5mLp2vhhyHfEAVu1qewQ1yEcGGVnYGxhus4T+gJCo4EeMbyRDsJj qxZ+lV08OkHJ2KhnDe7BVGzbX3evUKmIc4+Ibd0iC/jX4zHACvP/QZiOgM7i/wEx 3PWaM1V1yXAG8vYUsOOIJdW0F4PQs3LMHaaa//IHI6x+5HUGdsuA4tW/PSx9TIuc pCrNCFCXfuuH7Aj4Fhs7c9eNs5hCerS/O8Ps2lBlFs0d5lsqofD2uBJcnAOzyS/v xEzzh46t62Pw91HF0Zw97ysI695Fdc7EEfSvlB7Eeg/61ngDMqdOyUA3b3FeN39N fmmr6H6AZj87e2EqM7TU48/X/2N2k8eyYeV0/gqouvomu2960XBLW5LPWbBbH8DV Sy70INxL2LzgpPHCOHr2BFe/BBpj/ZMCOsHye3sVZFkg7mhy6ffqs36QRC2S2G0N 1cPaNcVpb57T8/sdAPACFCUGCgrHbupT/v0UVcyJtSkX1th18dXPLemtUAcQ/au+ UD8F3IyBOXnwrEAIrtx2guprlKDamfvZIXv6RhWedCyaCglLVWup6vGannvpFQj8 S+tFYvf3LuTV3UFf5WQfOKHqsdgyAuKKyMs9lQF61u/DyiQ8lElT3E6JPi9b+cy4 PVRmDGyPTo96tuTFU1gP =U1OP -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/054d8c19-0c60-3c63-827c-e9a2cebc8b58%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-22 02:47, nishiwak...@gmail.com wrote: > I would love as well to be able to host a website to share my interest for > Qubes OS with the world, or at least with people of my country sharing my > own language if you don't mind, because Qubes OS documentation looks like > imo being written mostly by native english users that don't seem to care > much for non-native english users being lost. On the contrary, we care greatly about translating the documentation into other languages. We're working with Transifex right now to have the documentation translated: https://github.com/QubesOS/qubes-issues/issues/1452 > I would this way really like to participate to some translation effort, as > I don't necessarily think you can enter easily those quite complicated > notions with your non-native language. We welcome your participation! Michael (CCed) is the main contact with Transifex. He may have a better idea about how members of the Qubes community like yourself can get involved. > Qubes documentation being largely a volonteer effort doesn't make it > immune to the critics, I didn't mean to suggest that it's immune to criticism. On the contrary, constructive criticism is always welcome. However, you said, "I don't get why documentation don't address..." I was simply explaining why. The documentation is lacking such things because no one has contributed them. > and mine is that people spending this valuable time to share their > knowledge to make people enter quite long and complicated procedures should > consider that : 1) Explaining how to do port forwarding without adressing > or refering to basic knowledge upon this concept leads to frustration, as > you necessarily need to understand a bit what's going on in order to adapt > the procedures. 2) Even if I think people mostly appreciate and are > thankful to the Qubes community developpment for the incredible security > improvement Qubes OS brings to everyone and that makes Qubes OS probably > the best OS I know so far, when security isolation somehow puts you in cage > where you encounter difficulties to communicate with rest of the world, > well that's not the goal per se :p > I think it's fair to beseech documentation contributors to consider these things. But, in the end, it's up to them what knowledge (if any) they will contribute. > But no problem, thank you for your help. I hope someone might give me some > advices on this problem, but I am already trying to learn on iptables, as > it looks like you can't unblock ports using only Qubes firewall, you have > to understand these iptables scripts ^^ > - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXux2fAAoJENtN07w5UDAw4wUP/j0uDCgbx80Cm714mi6vDB/Z 8NBXlMLV6hzA8HtVW3Z2Rfo7pY/Fe8uQLskJ+h8SluWDw2srUHXSsv2ETIBsUzC9 0m9HaSLJU+UxO7Vc8VFi2FTiUlFKxhBnhFYWGwSqir0QI+OZP6Mx1id/MgtvGkYk TDWtljt7hvgjR6hnX1GqU6u0Bg3O1KZHSNhcC98RQZjy9LWOgIkAPKWpK98FheYi N5QMRTJwfrUEFIEumCf6xzG3jiolJlmGEPkKDfk9+GaKxd0koHbENMWqfvlz2Zbo pq9gBzkW44K88pcWpS4CLkvonMDdXienRWzy7ut5kQsEfNuw4MVGMkqy9YUGkhlJ 9mbZx8AB1yPs0LRdQpCk9noh4g4QWr9XREHQC2+FgazYQD1P4rcZDXt8r0JJdH2W E5GJbqWWwQj+Rn0VbI4TbuXZJlw8gOeiUXRSKu821EhXu37dtiNI+XKszx8iPfXA 9EbAd9O4hulVq3866eWX86Sc/MKnNE/Frw0M8ObHvvXnweI2VwUNMeZCJ2VKO5KG vWQkTi83YAkHqvk8YOFCV7+oOQAyGymHZzjCUWvOWvDjBX/wtSgcmEt3rMq8MklX G3ZFzGdkC2h2VeEqwojhMNZ1UWHNvwv+KV6ySJf5p3ZrGqZKO6olIlbZZNnT2HDe OW2eq0Sr3P3Qtdn9iXao =6qZC -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4a7efd74-de1c-d72a-a345-f5c39f32d5d3%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] timesync on by default in debian-8 template (3.2-testing)
I notice in the debian-8 template that network time synchronization seems to be on by default in systemd. systemd-timesyncd.service loaded active running Network Time Synchronization time-sync.target loaded active activeSystem Time Synchronized It's disabled in fedora-23 by default, and rightly so, as I believe it's unnecessary given the dom0 driven /etc/qubes-rpc/qubes.SetDateTime mechanism, and it's kind of "leaky" sending requests unnecessarily to the Internet. Paranoidly yours, JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b9f04934f4dc333b3afc24e995a77fc3.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
[qubes-users] qvm-usb does not detect all devices, crashes
Dear all, I am unable to use qvm-usb and hope you might help me find the problem. My system is based on qubes 3.2, with qubes-usb-proxy 1.0.5 in a standard fedora-23 VM to which I assigned all my USB controllers. Whenever I start qvm-usb in a dom0 terminal, though, in order to attach my webcam to another VM, I get the following error: --- [raphael@dom0 Desktop]$ qvm-usb Invalid 2-1_6 device desc in VM 'sys-net-usb' sys-net-usb:2-1.5 8087:07da 8087_07da --- The first line actually looks garbled to me - at least I could not reconstruct how it comes about by looking at the qvm-usb sourcecode. Also, the exambles in the website documentation use a simple vm:a-b string to identify devices, while my system throws up vm:a-b.c (that's how it is written in /sys/...) or vm:a-b_c (how it is written by qvm-usb, apparently). Perhaps the problem's root is to be found here? When I run lsusb in the sys-net-usb VM, I get: --- Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 005: ID 2232:1024 Silicon Motion Bus 002 Device 004: ID 8087:07da Intel Corp. Bus 002 Device 008: ID 0bf8:101e Fujitsu Siemens Computers Bus 002 Device 007: ID 046d:c077 Logitech, Inc. M105 Optical Mouse Bus 002 Device 006: ID 1852:7022 GYROCOM C Co., LTD Bus 002 Device 003: ID 2109:2812 VIA Labs, Inc. VL812 Hub Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub --- Any advice on how to proceed would be much appreciated, Thanks, Raphael -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/42613342-4f82-c49f-d732-682975a75e45%40raphael-susewind.de. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Oddness in sys-net's VIF startup
> In trying to figure out why my ProxyVM has no VIF (on Qubes 3.2-testing) I > was looking at the dmesg's of the servicevm's, and noticed something that > looked a bit odd (running rapidly through vif interface #'s) in sys-net > (fedora23 template). > Similarly, iptables-save shows duplicate rules for the vif's: > > -A PR-QBS -d 10.137.1.1/32 -p udp -m udp --dport 53 -j DNAT > --to-destination x.x.x.x > -A PR-QBS -d 10.137.1.1/32 -p tcp -m tcp --dport 53 -j DNAT > --to-destination x.x.x.x > -A PR-QBS -d 10.137.1.254/32 -p udp -m udp --dport 53 -j DNAT > --to-destination y.y.y.y > -A PR-QBS -d 10.137.1.254/32 -p tcp -m tcp --dport 53 -j DNAT > --to-destination y.y.y.y Whoops, there's one each for tcp and udp, so the iptables rules are cool. But the duplicate interfaces still seem weird. Also FYI, /proc/net/dev: Inter-| Receive| Transmit face |bytespackets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo:6788 73000 0 0 0 6788 73000 0 0 0 enp0s0: 229463366 16497200 70 0 0 0 19397772 61227000 0 0 0 vif104.0: 3336560 22909000 0 0 0 83284242 57902000 0 0 0 vif107.0: 3094491216000 0 0 0 1332291840000 0 0 0 JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c72427d3b153c2163d08e799f6ac165c.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Screen corruption on nvidia
> Added testing repos to (clones of) debian-23 and debian-8 templates (as > well as whonix-gw/whonix-ws), did upgrades/dist-updates, restarted, loaded > up a bunch of AppVM's, and have been pounding on things awhile. > > No sign of screen garbage yet! :) > > Looks promising. Day 3 of banging on r3.2-testing, and zero sign of any screen corruption. I think it's safe to mark this one as fixed. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1be991f810cc2019d7e056e5749c0504.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Network Access dom0
On Friday, August 19, 2016 at 2:11:32 PM UTC-4, Andrew David Wong wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-08-17 15:06, Desobediente wrote: > > The bumblebee docs tell you to use yum/dnf without gpg. > > > > I haven't found their keys also. Normally it sits on a > > keyserver.example.com or keys.example.com > > > > Giving the circumstances, I'd guess there aren't any. > > > > There is a "just works" way to do it, but I'm not the one telling how to > > do that. Just ask them to generate gpg keys. > > > > Is the "just works" method adding "gpgcheck = 0" to the repo file? If so, then > I can understand why you wouldn't want to tell anyone how to do that, since > it'd render them vulnerable to a potential MitM attack. > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJXt0vNAAoJENtN07w5UDAwQl8QALRLtl7E/d3LLADwDnmD53a0 > kq1yxZsHzxYxV/tp6SKaScjk8GJa0p80gX27QEWLx+1/iasEmGFJrNGNY7/KyFUi > yKcs04DJSVi9O3zc/tmFcPAXrC13lhP9ONuBeP5PbJ9R/jbIGzxgxv85lj6kfNy2 > bVq1W9YbmzPgORXIZqGNeYXmEcHrou8Qb4xgP9fh1GFuXUy6YiNb0C/ECkqGewHk > 8hjoEm5/QjD5BitdqDr32n2GmOpXjs9/15Ae0JTBGGHSGNAD+A/HQ6gk/9aPt1q/ > KRJW0ZW118hPLltjuNo99eBD2BTpeaNE1JZ0xic/RV4HhYL28Ivu+qCfpaLHxENG > zF/gNk5PkdbKJhjXoOizXj9q8YwPP60IKYrteN0+TPHSzayscVTn2s4oSi2YlxbE > xHfWSbp+Xqo14f2E+0rSTor44UdRFcOg2UHB+2roCbgN2+Ta+SQRtlEXO+7ehrpN > 60LFS7HPTK7GNaVYvmFvSZxDHpLaZymxvYHRpGwiP/x2T75Ceg9XoUnl4iGdMiIO > jo/C+8sXF1Oa8PNHtA+d5bpqh4duELsDGNjV9R9EKNRBUlrVdMdGhjuhhzk3JSsa > TL/u47RoSd4nQYdOPdUgBHZlLVqchBKqrM0lPoYTebRRTxi5Ns9kMFHvrzssLJxy > a25Kb7ATBBPJ8HsEoxNI > =XUBP > -END PGP SIGNATURE- Didn't change anything. Still getting a failed to synchronize cache for repo error -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/25a37fda-824d-4564-8257-595d26bb8eb3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] vif in user ProxyVM?
I'm trying to create a ProxyVM of my own, to replace sys-firewall. I'm on 3.2rc2-testing. When I create a ProxyVM in either fedora23 or debian-8, eth0 shows up, but no vif interface appears. There are iptables entries for 10.137.4.*, so the firewall mechanism seems to be doing (part of) it's thing, but with no vif device itself. /proc/net/dev on my ProxyVM shows only eth0 and lo, whereas on the sys-firewall it shows eth0, lo, and a vif interface. dmesg (on debian-8) shows: [1.257473] xenbus_probe_frontend: Device with no driver: device/vif/0 [1.257661] Magic number: 1:252:3141 ... But no further reference to vif. Whereas on sys-firewall, dmesg shows: [1.277519] xenbus_probe_frontend: Device with no driver: device/vif/0 [1.277687] Magic number: 1:252:3141 ... [ 33.337886] IPv6: ADDRCONF(NETDEV_UP): vif105.0: link is not ready [ 43.258766] vif vif-105-0 vif105.0: Guest Rx ready [ 43.258813] IPv6: ADDRCONF(NETDEV_CHANGE): vif105.0: link becomes ready -- What am I missing? Is there something in dom0 or in the ProxyVM's start scripts I need to configure the vif interface, so I can do some Proxyin'? I thought I recalled creating my own ProxyVM in 3.1 to check it out, and I *thought* the vif appeared automatically, but I could be mistaken about that. I did some Googling and reading of xen networking pages, but am quite lost as to why this interface isn't showing up (other than the mentio nof device/vif/0 in dmesg). The Qubes networking page wasn't particularly helpful: > Firewall and Proxy VMs > > TODO :) Thanks. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/37ab7e172cc0de1fe99d859f7c0bad8c.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
[qubes-users] /rw/config/rc.local on debian-8
/rw/config/rc.local doesn't seem to be run on startup in debian-8 (3.2-testing). What is supposed to launch this? systemd, another startup script, or something dom0-related? I added "/rw/config/rc.local" to "/etc/rc.local" and it works, but was wondering what might be the official way to do this, and if this is a bug. Thanks. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6b6f56508f5e9769cf1c77eac80bffbf.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Fedora 23 template not updating - with a blank screen
It seems that the updates on dom0 are also affected: sudo qubes-dom0-update Using sys-firewall as UpdateVM to download updates for Dom0; this may take some time... Running command on VM: 'sys-firewall'... Checking for dom0 updates... Last metadata expiration check: 1 day, 16:07:48 ago on Sat Aug 20 22:40:37 2016. Dependencies resolved. Nothing to do. Sending application list and icons to dom0 Complete! Yum command has been deprecated, redirecting to '/usr/bin/dnf check-update'. See 'man dnf' and 'man yum2dnf' for more information. To transfer transaction metadata from yum to DNF, run: 'dnf install python-dnf-plugins-extras-migrate && dnf-2 migrate' Qubes OS Repository for Dom0 68 MB/s | 151 kB 00:00 Yum command has been deprecated, redirecting to '/usr/bin/dnf -q check-update'. See 'man dnf' and 'man yum2dnf' for more information. To transfer transaction metadata from yum to DNF, run: 'dnf install python-dnf-plugins-extras-migrate && dnf-2 migrate' Sent using GuerrillaMail.com Block or report abuse: https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/38a37ad523cdc9f2e77b5b17de8d6fea6976%40guerrillamail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Fedora 23 template not updating - with a blank screen
I managed to complete the updates after 45m, I followed your suggestion and bounced the template VM and rerun the 'dnf update --refresh' command, however the issue persists - the same painful slowness while fetching the repositories: [root@fedora-23 ~]# dnf update --refresh RPM Fusion for Fedora 23 - Free 1.8 MB/s | 457 kB 00:00 RPM Fusion for Fedora 23 - Nonfree - Updates 546 kB/s | 57 kB 00:00 RPM Fusion for Fedora 23 - Free - Updates 0% [ ] --- B/s | 0 B --:-- ETA Sent using GuerrillaMail.com Block or report abuse: https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/80487c11d0b3debe63a24fc63c362acef463%40guerrillamail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Fedora 23 template not updating - with a blank screen
48juya+35xih7kuzgagg via qubes-users: > It seems that doing a 'dnf update --refresh' it provides some output but > updating the repositories is taking forever: > > [root@fedora-23 ~]# dnf update --refresh > RPM Fusion for Fedora 23 - Nonfree > 1.1 MB/s | > 156 kB 00:00 > RPM Fusion for Fedora 23 - Free > 3.8 kB/s | > 457 kB 02:00 > Qubes OS Repository for VM (updates) > 1.0 MB/s | > 286 kB 00:00 > Fedora 23 - x86_64 - Updates > 199 kB/s | > 24 MB 02:03 > > > Its hanging for more than 15m now, any ideas how to solve this? Coincdentally, this occurred to me about 20 minutes ago. Restarting the fedora-23 TemplateVM and trying to update again fixed it for me. Might have been a server issue on Fedora's end. -Jeremy Rand -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e39a5b17-d83a-977e-a760-2125c24d2d3b%40airmail.cc. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-08-21 16:43, nishiwak...@gmail.com wrote: > > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On > > 2016-08-21 04:02, nishiwak...@gmail.com wrote: > Any help to configure sys-firewall would be also really appreciated. > I got this annoying pop-up when I click on "Firewall rules" tab under > the sys-firewall proxyVM settings : > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > You may edit the 'sys-firewall' VM firewall rules, but these will > not take any effect until you connect it to a working Firewall VM." > > Only subject related to this problem I found is this message from > Unman on Qubes-users group : > > "When you configure the firewall rules for a vm those rules are > applied ON THE FIREWALL to which the vm is attached. So the error > message you get is entirely accurate - your firewall is not attached > to a firewall and so the rules cannot be applied. Of course you COULD > configure a firewall between the fw and the netvm but the same > consideration would apply to THAT fw. There's no reason why you cant > configure the fw iptables by hand if you want to: you can use > /rw/config/qubes-firewall-user-script to have these rules applied > automatically." > > Ok so here's what I understand from this message : this proxyVM > Firewall is probably working but rules don't apply because it is > attached to a NetVM, which don't have any firewall policies by > default. > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation > says : "Every VM in Qubes is connected to the network via a > FirewallVM, which is used to enforce network-level policies. By > default there is one default Firewall VM, but the user is free to > create more, if needed." > > And then you got explanations on how to edit rules in a specific VM > for a given domain. > > So I understand you have to edit rules on a AppVM to open up ports > there, but I mean not everyone running Qubes OS is highly graduated > in IT and network routing. > > I find quite disappointing that the official documentation don't > mention more clearly how to set up the default sys-firewall proxyVM, > like if you are supposed to check either "Deny network access > except" or "Allow network access except" button or if that doesn't > matter, if those policies won't apply anyway because of this > pop-up... > > > > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > > there. > > > > Suppose you have an AppVM in which you want to enforce specific firewall > > rules. You should go into the VM settings for *that VM*, then the "Firewall > > rules" tab, then configure your firewall rules there. These firewall > > rules are then *enforced by* sys-firewall under the hood. Enforcing these > > rules for other VMs is sys-firewall's raison d'être. > > > > By default, there is only one VM with this job: sys-firewall. Therefore, > > there is no other VM that can perform this job *for* sys-firewall. But > > that's not a problem, because there's usually no reason to specify firewall > > rules for sys-firewall itself anyway. (Besides, you're free to create as > > many ProxyVMs as you like an chain them together.) > > > > > > Ok, thank you very much for your help. Unfortunately I still have great > > difficulties to open up port 443 or 80 on an AppVM. > > > > I have read this comment on another thread from Alex Dubois saying : > > > > "A diagram in the wiki would help people understand. > > > > For now: A packet comming from the outside has a sourceIP of the > > workstation on the LAN that issued it or the router that routed the packet > > into your LAN and a destinationIP of your netVM externalIP (probably > > 192.168.0.x). The NetVM iptables rules are going to transform it to a > > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM > > iptables rule are going to transform it to a packet with a desktinationIP > > of your AppVM (10.137.2.16)." > > > > I completely agree with him, a diagram would really help. I don't get why > > documentation don't address the routing basics stuff that isn't really > > basic for newbies, for random people. > > The documentation is largely a volunteer effort. I'm afraid we simply don't > have the workforce to make all necessary and desirable improvements to the > documentation. We would love it if someone would submit a pull request adding > such a diagram or, in general, improving that page. > > > I like a lot Qubes, this is an awesome OS, but far too complicated for > > mister everyone. I am at the point right now where frustration becomes > >
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > The documentation is largely a volunteer effort. I'm afraid we simply don't > have the workforce to make all necessary and desirable improvements to the > documentation. We would love it if someone would submit a pull request adding > such a diagram or, in general, improving that page. I would love as well to be able to host a website to share my interest for Qubes OS with the world, or at least, with people of my country sharing my own language, if you don't mind, because Qubes documentation looks like imo being written mostly by native english users that don't seem to care much for non-native english users being lost. I would this way really like to participate to some translation effort, as I don't necessarily think you can enter easily those quite complicated notions with your non-native language. Qubes documentation being largely a volonteer effort doesn't make it immune to the critics, and mine is that people spending this valuable time to share their knowledge to make people enter quite long and complicated procedures should consider that : 1) Explaining how to do port forwarding without adressing or refering to basic knowledge upon this concept leads to frustration, as you necessarily need to understand a bit what's going on in order to adapt the procedures. 2) Even if I think people mostly appreciate and are thankful to the Qubes community developpment for the incredible security improvement Qubes OS brings to everyone and that makes Qubes OS probably the best OS I know so far, when security isolation somehow puts you in cage where you encounter difficulties to communicate with rest of the world, well that's not the goal per se :p > Sorry, this is beyond my knowledge. My own use of Qubes (as a regular user) > has never occasioned the need to port forward to a VM from the outside world. > Perhaps it's worth appreciating that what you're attempting to do is somewhat > advanced, and therefore you should not expect it to be extremely simple. In > any case, I hope someone knowledgeable about networking will chime in to help > you with this. No problem, thank you for your help. I hope someone might give me some advices on this problem, but I am already trying to learn on iptables, as it looks like you can't unblock ports using only Qubes firewall, you have to understand these iptables scripts ^^ > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJXulK8AAoJENtN07w5UDAwKRgP/3qtwhSLXRCI03DqA76JMo2o > 2d24pqwjw9f/rX3ep36qHN1Y4iSSP/la/ze9dgoWPnyXakrB8R7olqasV2o4Z9+v > ZyLqSOKF6R2KPUSyl1vE6Tc4F6l068wOcQnNphq+tmZEHX8VFprYgkzchXCMj9fp > sVsU7Xk0prNXs/FWqxzPTJzbC7lPRuJ0OBTHdj8uvatJ6eeb6QxRI3hKWu2nXpCM > 7ugxLc8Lvy5Ntjp40DoQOMidSDU2WmNyUBAfrlUGjIXVxu7mzk45P67cPG5Zuvo9 > KchQgu44N4bgm2tdkHg248iyB/GzolsObs3BQCzadMz7E2jv8YVU8u0rAD41OGON > rDTqnDp5VEdo72iNijyZkXh+in/cmtAG9FY1JisTgeZhxTXJmMlzduDIaB2+QjBH > UBeU9DxeeXtthmYIlmoq40gbLUnEW4KkMfyky99vWZcUHnCzdVd9l12+PDJkIAF5 > N2la7fqnAh5ElsdT3nBzECb7C5CYtW3zFB/oEDrmsObinIF5E0ohPdwWnXn++jCF > kwurhgtReWPCxfd+JeIJTi3bQxE24pnPkTT4KYPcOloE9RHwGd5EsAIxkvbPb/po > aUn1edDzVtnoyrXa/FVODd0IxW9TjFq1RGk8d9mXPSb01fKrKIOUQXnhyfwiY5gK > sW6MaE08rTguFWY2Ng9q > =E9Mf > -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b4d805e9-e81a-422b-a8a2-67a5b2578091%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-08-21 16:43, nishiwak...@gmail.com wrote: > > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On > > 2016-08-21 04:02, nishiwak...@gmail.com wrote: > Any help to configure sys-firewall would be also really appreciated. > I got this annoying pop-up when I click on "Firewall rules" tab under > the sys-firewall proxyVM settings : > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > You may edit the 'sys-firewall' VM firewall rules, but these will > not take any effect until you connect it to a working Firewall VM." > > Only subject related to this problem I found is this message from > Unman on Qubes-users group : > > "When you configure the firewall rules for a vm those rules are > applied ON THE FIREWALL to which the vm is attached. So the error > message you get is entirely accurate - your firewall is not attached > to a firewall and so the rules cannot be applied. Of course you COULD > configure a firewall between the fw and the netvm but the same > consideration would apply to THAT fw. There's no reason why you cant > configure the fw iptables by hand if you want to: you can use > /rw/config/qubes-firewall-user-script to have these rules applied > automatically." > > Ok so here's what I understand from this message : this proxyVM > Firewall is probably working but rules don't apply because it is > attached to a NetVM, which don't have any firewall policies by > default. > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation > says : "Every VM in Qubes is connected to the network via a > FirewallVM, which is used to enforce network-level policies. By > default there is one default Firewall VM, but the user is free to > create more, if needed." > > And then you got explanations on how to edit rules in a specific VM > for a given domain. > > So I understand you have to edit rules on a AppVM to open up ports > there, but I mean not everyone running Qubes OS is highly graduated > in IT and network routing. > > I find quite disappointing that the official documentation don't > mention more clearly how to set up the default sys-firewall proxyVM, > like if you are supposed to check either "Deny network access > except" or "Allow network access except" button or if that doesn't > matter, if those policies won't apply anyway because of this > pop-up... > > > > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > > there. > > > > Suppose you have an AppVM in which you want to enforce specific firewall > > rules. You should go into the VM settings for *that VM*, then the "Firewall > > rules" tab, then configure your firewall rules there. These firewall > > rules are then *enforced by* sys-firewall under the hood. Enforcing these > > rules for other VMs is sys-firewall's raison d'être. > > > > By default, there is only one VM with this job: sys-firewall. Therefore, > > there is no other VM that can perform this job *for* sys-firewall. But > > that's not a problem, because there's usually no reason to specify firewall > > rules for sys-firewall itself anyway. (Besides, you're free to create as > > many ProxyVMs as you like an chain them together.) > > > > > > Ok, thank you very much for your help. Unfortunately I still have great > > difficulties to open up port 443 or 80 on an AppVM. > > > > I have read this comment on another thread from Alex Dubois saying : > > > > "A diagram in the wiki would help people understand. > > > > For now: A packet comming from the outside has a sourceIP of the > > workstation on the LAN that issued it or the router that routed the packet > > into your LAN and a destinationIP of your netVM externalIP (probably > > 192.168.0.x). The NetVM iptables rules are going to transform it to a > > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM > > iptables rule are going to transform it to a packet with a desktinationIP > > of your AppVM (10.137.2.16)." > > > > I completely agree with him, a diagram would really help. I don't get why > > documentation don't address the routing basics stuff that isn't really > > basic for newbies, for random people. > > The documentation is largely a volunteer effort. I'm afraid we simply don't > have the workforce to make all necessary and desirable improvements to the > documentation. We would love it if someone would submit a pull request adding > such a diagram or, in general, improving that page. > > > I like a lot Qubes, this is an awesome OS, but far too complicated for > > mister everyone. I am at the point right now where frustration becomes > >
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-08-21 16:43, nishiwak...@gmail.com wrote: > > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On > > 2016-08-21 04:02, nishiwak...@gmail.com wrote: > Any help to configure sys-firewall would be also really appreciated. > I got this annoying pop-up when I click on "Firewall rules" tab under > the sys-firewall proxyVM settings : > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > You may edit the 'sys-firewall' VM firewall rules, but these will > not take any effect until you connect it to a working Firewall VM." > > Only subject related to this problem I found is this message from > Unman on Qubes-users group : > > "When you configure the firewall rules for a vm those rules are > applied ON THE FIREWALL to which the vm is attached. So the error > message you get is entirely accurate - your firewall is not attached > to a firewall and so the rules cannot be applied. Of course you COULD > configure a firewall between the fw and the netvm but the same > consideration would apply to THAT fw. There's no reason why you cant > configure the fw iptables by hand if you want to: you can use > /rw/config/qubes-firewall-user-script to have these rules applied > automatically." > > Ok so here's what I understand from this message : this proxyVM > Firewall is probably working but rules don't apply because it is > attached to a NetVM, which don't have any firewall policies by > default. > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation > says : "Every VM in Qubes is connected to the network via a > FirewallVM, which is used to enforce network-level policies. By > default there is one default Firewall VM, but the user is free to > create more, if needed." > > And then you got explanations on how to edit rules in a specific VM > for a given domain. > > So I understand you have to edit rules on a AppVM to open up ports > there, but I mean not everyone running Qubes OS is highly graduated > in IT and network routing. > > I find quite disappointing that the official documentation don't > mention more clearly how to set up the default sys-firewall proxyVM, > like if you are supposed to check either "Deny network access > except" or "Allow network access except" button or if that doesn't > matter, if those policies won't apply anyway because of this > pop-up... > > > > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > > there. > > > > Suppose you have an AppVM in which you want to enforce specific firewall > > rules. You should go into the VM settings for *that VM*, then the "Firewall > > rules" tab, then configure your firewall rules there. These firewall > > rules are then *enforced by* sys-firewall under the hood. Enforcing these > > rules for other VMs is sys-firewall's raison d'être. > > > > By default, there is only one VM with this job: sys-firewall. Therefore, > > there is no other VM that can perform this job *for* sys-firewall. But > > that's not a problem, because there's usually no reason to specify firewall > > rules for sys-firewall itself anyway. (Besides, you're free to create as > > many ProxyVMs as you like an chain them together.) > > > > > > Ok, thank you very much for your help. Unfortunately I still have great > > difficulties to open up port 443 or 80 on an AppVM. > > > > I have read this comment on another thread from Alex Dubois saying : > > > > "A diagram in the wiki would help people understand. > > > > For now: A packet comming from the outside has a sourceIP of the > > workstation on the LAN that issued it or the router that routed the packet > > into your LAN and a destinationIP of your netVM externalIP (probably > > 192.168.0.x). The NetVM iptables rules are going to transform it to a > > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM > > iptables rule are going to transform it to a packet with a desktinationIP > > of your AppVM (10.137.2.16)." > > > > I completely agree with him, a diagram would really help. I don't get why > > documentation don't address the routing basics stuff that isn't really > > basic for newbies, for random people. > > The documentation is largely a volunteer effort. I'm afraid we simply don't > have the workforce to make all necessary and desirable improvements to the > documentation. We would love it if someone would submit a pull request adding > such a diagram or, in general, improving that page. > I would love as well to be able to host a website to share my interest for Qubes OS with the world, or at least, with people of my country sharing my own