Re: [qubes-users] Logging Drop Packets

[Laszlo Zrubecz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 3/9/19 2:58 AM, unman wrote:
> Why do you say this? It's far from my experience.
> 
> If you use a minimal Debian template for firewall, then there are 
> only iptables rules. It's trivial in that case to add logging. You 
> can also implement this by use of appropriate scripts in rc.local 
> and /rw/config if you want logging from the start.

Well, these are the hardcoded rules used by Qubes:

> Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target 
> prot opt in out source   destination 2160K 
> 1969M ACCEPT all  --  *  *   0.0.0.0/0 0.0.0.0/0
> ctstate RELATED,ESTABLISHED 28727 2456K QBS-FORWARD  all  --  *
> *   0.0.0.0/00.0.0.0/0 0 0 DROP   all  --
> vif+   vif+0.0.0.0/0 0.0.0.0/0 28727 2456K ACCEPT all  --
> vif+   *   0.0.0.0/0 0.0.0.0/0 0 0 DROP   all  --  *
> *   0.0.0.0/0 0.0.0.0/0

As the logging in iptables is implemented as a separate jump target,
and you can only have one jump target in a rule,  so if you want to
log something, you have to create 2 similar rules with the same
filters, but with different actions, as you need to place the logging
rule first, then your desired action just after the logging rule. right?

However iptables rules can be easily added only in front of the
current rules, or after all the existing rules. If you want to add
something in between, you have to calculate the rule numbers - which
is far from trivial.

So one option is to replace the whole ruleset by your own, however you
have to be compatible with the qubes solution otherwise you loose the
default features.

Or you have to parse the qubes generated rules, and insert the logging
ones as you need.


"log everything" is just simply not implemented in iptables, because
to get meaningful logs, you need to use the log-prefix to see if the
logged packet going to be dropped/accepted/rejected in the next rule.

logging just the default drops at the end of the FORWARD chain, might
be easier, as you just have to modify the hardcoded default ruleset.


> I find the Qubes firewall very customisable, and relatively easy to
> manipulate as needed.

Well, I wouldn't call it customisable, as you have to choose between
the very basic features of the qubes provided firewall implementation,
OR you need to create your custom solution.


Not to mention the "always there" style of the DNS NAT, and the ICMP
traffic...


By using nftables it would be a lot easier. The main confusion if
booth are in place, which is a not recommended way. And you most
likely have to place rules using booth framework... So I really not
sure why would we need both?

- -- 
Laszlo Zrubecz
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlyF/+EACgkQVjGlenYH
FQ1ULw//Wn495vvTHegT9QK5B79MepEHA1TAPQIIZEKsU51uMckKv599eXCoShWu
G7rX1Ih25xwukE7tYYxvAdwUOnyOfTWSCBHxZLUGMAbOP8gC3q+2B6r/zO9UfQcC
Kr3T6dTPS5JyVw75iPWlCXVgZU8fC6nYqGzdq17EBXlSEzWij11wDawvKiO9XFbt
YwsGgSYPxidMVlvnxztTf3SsQRCspOMXtm6mpTHWIyHzXlt1JE+x1EgpJoBS7zz0
lawxv8FcJMtBImaM4RMsVYF5tKEqeLGPqCwhdiB8YIkJNnufHypVw3oU8QSz/dge
/q1B/R1ehvEcqEuIgFuO4Kk24nOr+BbSeg+cVa+3v95r+lPzUc+YdamNEZswXoSp
CohnGaT4zY9zntBoOFPmJdSDniGCJ7rormZoNlVSj+0lRoywAHAkkJg4vBAm52O7
Tt77R+WpicVoEREqAKkOEN0LXBv4rGTRRGQA+zLBz+y9VgmqjKOp1SYTKMZmJNg9
zoXpzEMVBTR4s9oGyidFCuJUWFIbkg0HnqppOeljoyc7FHzWGa+ERmWwABefJZpr
hzHFf/2fVM9bs2vH8e4YMZMWpS2/CUrC/XQe+ClfcchXwcdEmTGMC1bwkjOrboj0
N7EF+JHJQDUdbcKQj30a2Wx8uEH2rVeCLhJtpLZVB6ORatbum5M=
=JMQb
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0125d06c-c6e4-a6ba-d51d-c9cd0d6f4802%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL - Lenovo ThinkPad X1 Yoga 2016 (20FRS2BP00)

['wintermute' via qubes-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

just set up Qubes R4.0.1 on a ThinkPad X1 Yoga (1st Gen) using UEFI boot. 
Despite other reports, screen brightness work correctly right away. Touchscreen 
did work during installation but stopped working afterwards when I enabled 
sys-usb. This could easily be fixed by installing qubes-input-proxy for 
sys-usb, then allowing qubes.InputTablet to send data to dom0.

--wintermute
-BEGIN PGP SIGNATURE-
Version: ProtonMail
Comment: https://protonmail.com

wsBcBAEBCAAGBQJchielAAoJECSqZ/Wlg0uwSOAH/0l/45mQ8DeEcISbwqAh
2M53sjFGCdxtR/LRimRVXe/e1EACqOqLWGKExvzYoTH5gnqLnJRCSshPSUBK
MC6ldLAXha46yrcwTSaxP9HrE02lG91e1DiN0DIT9UJr3EpPbwkFygcKd9Ng
Hu9/7qNZI0l7HAuWuKzllxY3qtAYqHNCnfpEOvRNS0dQM4aJpBXxjN1lvuSi
wQ2ceSCrR9fEtjgLixI7CnRLAI8thS2PWrwX43gVJqMcsMUKyMzex5sAOuKX
boqhtbBd8xzzgIgOhyY7SSWm5lMzci4dD7kNb2j6hd2BUnn/qCFC79yfWFAL
wQ98s+p89TDMQeoCBA8k4jM=
=SHPL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/MdaS6kd96c000nTDIKnCHV2pTv4E_BlKF4G_10fIDt7I61BRZUmrFQ6DaPJXJElj_EK-HTUoBS-ipEzK7JjSY-c0I5iQxkNdpYuNg88ckbo%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-LENOVO-20FRS2BP00-20190310-175537.yml
Description: application/yaml


Qubes-HCL-LENOVO-20FRS2BP00-20190310-175537.yml.sig
Description: PGP signature


publickey - wintermute2019@protonmail.com - 0x2D8F35C2.asc
Description: application/pgp-keys


publickey - wintermute2019@protonmail.com - 0x2D8F35C2.asc.sig
Description: PGP signature

Re: [qubes-users] Structure of qubes

[acharya . sagar . sagar5]

I tried booting up with just the APU plugged in and found out that the recent 
kernel is also not compatible with the APU providing the graphics. My 
sys-firewall and sys-whonix wouldn't start.

I went back to square 1, installing NVIDIA drivers in dom0 with rpm and found 
that earlier I was using the wrong kernel-devel tool. Installed 
kernel-latest-vm 4.20.3-1 which upgrade the kernels of my fedora template and 
installed the compatible kernel-latest-devel.

When executing,

sudo rpmbuild --nodeps -D "kernels 4.20.3-1.pvops.qubes.x86_64" --rebuild 
nvidia-kmod-410.66-1.fc29.src.rpm

I get the following

error: Package has no %description: kmod-nvidia-4.20.3-1.pvops.qubes.x86_64

Checked the spec file in rpmbuild folder and it contains %description line
And I do not see any file named kmod-nvidia-4.20.3-1.pvops.qubes.x86_64 
anywhere. Please help.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c3426d0a-b47d-47ac-bfe6-9591f627b63a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Issues after Installation

[Joe Ragno]

So after enabling Virtualization, I get a new error on the sys-net and
sys-firewall that reads:
Domain sys-net has failed to start: internal error: libxenlight failed to
create new domain 'sys-net'

*Regards,*
*Joseph Ragno *

*Marketing Technology Specialist*

*M:* (908) 217-1940
*F: *(954) 208-

1901 West Cypress Creek Road,
Fort Lauderdale, FL 33309

*Inspiring Wellness* at DelphiHealthGroup.com

*Addiction and Mental Health Treatment*
Connect: Facebook  | Twitter
 | LinkedIn





On Sat, Mar 9, 2019 at 8:32 PM unman  wrote:

> On Fri, Mar 08, 2019 at 10:59:11PM -0800, jra...@delphihealthgroup.com
> wrote:
> > I'm not quite sure why however after transferring qubes to my hp probook
> 11 it will not start any domains at all and every time I get an error
> message that says:
> >
> > "Qube Status: sys-net
> >
> >  Domain sys-net failed to start: invalid argument: could not find
> capabilities for arch=x86_64"
> >
> > Also, when clicking the Applications button in the top left corner of
> the screen and hovering over a domain or template my only option available
> is Qube Settings.
> >
> > Please help!
> > --
>
> The usual cause is that you dont have VT-x enabled: check the BIOS
> and make sure that you have all virtualisation options enabled.
>
> unman
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/20190310013210.5tzbc53xqwj5i3sh%40thirdeyesecurity.org
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
This email and any files transmitted with it are confidential and are 
intended solely for the use of the individual or entity to which they are 
addressed. This communication may contain material protected by HIPAA 
legislation (45 CFR, Parts 160 & 164). If you are not the intended 
recipient or the person responsible for delivering this email to the 
intended recipient, be advised that you have received this email in error 
and that any use, dissemination, forwarding, printing or copying of this 
email is strictly prohibited. If you have received this email in error, 
please notify the sender by replying to this email and then delete the 
email from your computer.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAEDzTh-XcotiVaSYa01TSKw%3DNOeJFLtGzvo2apeTOrrxbhiX6w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] having to Install and run software twice?

[Stuart Perkins]

On Fri, 8 Mar 2019 16:31:48 -0600
Daniel Allcock  wrote:

>Hi Stuart,
>
>Just a guess, but perhaps this is it.  I assume you are using
>dnf install in the usual way, not anything exotic.
>
>When you install software in the template, the AppVm doesn't "notice"
>until you restart it.  Furthermore, it won't see the new software
>unless you shut down the template before you restart the appvm.  So
>the procedure is: install software in the template, then shut down
>the template, then restart the appvm.
>
>This can be troublesome if you are in the middle of something and don't
>want to restart the appvm, but need some package. In that case you can
>go ahead and install in the appvm too.  Just understand that the
>installation in the appvm will be wiped out when the appvm is shut
>down.  (Although you won't notice, if it is installed in the template.)
>
>Daniel 
>
>On Fri, 8 Mar 2019 13:40:32 -0600
>Stuart Perkins  wrote:
>
>> On Fri, 8 Mar 2019 09:45:36 -0800 (PST)
>> chris.boscarin...@gmail.com wrote:
>>   
>> >Hi,
>> >Just a quick question. I install software into my template (Fedora,
>> >in this case) but when I try to run it from my "personal" qube, I
>> >must install it again in that qube, as well as run the program once
>> >in the template, then again in the "personal" qube. I don't see
>> >anything in the documentation about having to do this,  so I
>> >wondered if I was doing something incorrectly, or that's the correct
>> >procedure. Thanks. Chris
>> >
>> 
>> Depends on the software installation path.  Some software installs
>> under the user directories, which would NOT be copied from the
>> template to the appvm.
>>   
>

Yes, Daniel.  I was assuming the shutdown/restart sequence.  

When you start an appVM, it refreshes its copy of the software installation.  
Updating the template vm is not really complete until you shut it down after 
doing the updates/installs.  I probably should have specified that.  

If you do the indicated start template/install software/shutdown 
template/shutdown appvm/start appvm and the newly installed software is not 
there, it may be that the installation directory wound up somewhere other than 
the "normal" software path on the Template.  Some software has a habit of doing 
that...such as "tor browser" which installs in your /home/... path.

Normally, to install new software for an appvm..

Start the template used by the appvm.
Install the software in the template for the appvm.
Shutdown the template.
if the appvm is running, shut it down.
Start the appvm to get a "fresh copy" of the installed software from the 
template.

Then you should be able to run the new software in the appvm.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190311094903.0b2a3477%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: off topic - invite codes to 'riseup'

['1900' via qubes-users]

Mr. DONG:
> Please can someone also send one to me!
> 
> Very, very appreciated!!
> 
> 
> Thank you a million!
> 

I don't have any but you might want to look at elude.in (you need Tor
Browser to access the real website). They offer an interesting email
service (for free) which is accessible from darknet and (almost
entirely) from clearnet as well.

Disclaimer:

* I'm not involved with elude.in
* I don't know if the service can really be trusted for sensitive
correspondence
* It's not the most reliable service: I've experienced downs

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/400d2708-2470-bbba-77a6-0fb9622d655c%40elude.in.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] transient appvm failed to start

[pixel fairy]

just got a pop up notification 

Qube Status: myvm
Domain myvem has failed to start: internal error: libexenlight failed to create 
new domain 'myvm'

myvm has existed and started fine for many months. trying it again worked. 

is this a known issue? should it be reported? if so, anything besides the logs 
in /var/log/qubes worth providing?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5edd0472-709c-4508-81e6-2cfc51603944%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: qubes-vm-settings error

[seshu]

On Sunday, March 10, 2019 at 12:47:25 AM UTC, seshu wrote:
> I recently updated dom0, after the xen vulnerabilities were identified, and 
> I"m coming across this error when I try to open Qubes Setting for any VM.
> 
> TypeError: 'NoneType' object is not subscriptable at line 9 of file 
> /usr/bin/qubes-vm-settings.
> 
> The Details are:
> 
> line: return self.virt_mode_list[self.virt_mode.currentIndex()]
> func: selected_virt_mode
> line no.: 842
> file: /usr/lib/python3.5/site-packages/qubesmanager/settings.py
> 
> line: old_mode = self.selected_virt_mode()
> func: update_virt_mode_list
> line no.: 870
> file: /usr/lib/python3.5/site-packages/qubesmanager/settings.py
> 
> line: self.update_virt_mode_list()
> func: __init_advanced_tab__
> line no.: 738
> file: /usr/lib/python3.5/site-packages/qubesmanager/settings.py
> 
> line: self.__init_advanced_tab__()
> func: __init__
> line no.: 181
> file: /usr/lib/python3.5/site-packages/qubesmanager/settings.py
> 
> line: settings_window = VMSettingsWindow(vm, qapp, args.tab)
> func: main
> line no.: 1269
> file: /usr/lib/python3.5/site-packages/qubesmanager/settings.py
> 
> line: load_entry_point('qubesmanager==4.0.29', 'console_scripts', 
> 'qubes-vm-settings')()
> func: 
> line no.: 9
> file: /usr/bin/qubes-vm-settings
> 
> Anyone else come across this? Any solution? I'm running 4.0.1
> 
> Thanks in advance.

Hi, after the recent update, I'm not getting the same error message as before, 
but I'm still unable to view my Qubes Settings from Qubes Manager. Now I'm 
getting a

AttributeError: 'VMSettingsWindow' object has no attribute 'dev_list' at line 9

Checking to see if anyone knows of this problem? Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ffbbb1d0-af8f-471b-a1af-12e8e5cf68ac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.