Re: [qubes-users] How to split into two gateways
> Can someone please tell me if you were able to achieve the following? > - Have two NICs handling two separate sys-net > - Behind each sys-net their own firewall > - behind the firewalls their own set of VMs. Yes, the machine I am on has this setup. Both sys-net VMs have a dedicated NIC PCI passed through to them. They each have a sys-firewall, which each has VMs on it. I cloned the original sys-net, but if you follow the instructions for creating a new one, it should work fine. > I was able to handle the firewall rules and everything else but I cannot make > it work to have 2 sys-net each handling a NIC separately. Can someone please > tell me step by step how you achieved that? Try just doing the passthrough first. If you can get the NICS to show up in `lspci` in the two sys-nets and configure networking so you can ping out. Command to attach the NIC: `qvm-pci attach sys-net2 dom0:`. PCI-address can be found in the output of `qvm-pci`. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8451224f-59f5-fe85-b35e-3d08413dd8e4%40undef.tools.
Re: [qubes-users] better solution to configure firewall rules?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 6/22/20 9:19 PM, verifiablel...@86.is wrote: > cat ips.txt | while read line; do qvm-firewall appvm-name add > --before 0 accept dsthost=$line; done Thank you! I'll look into qvm-firewall and then write a little script to parse the downloaded file and fire off the respective calls. /Sven - -- public key: https://www.svensemmler.org/0x8F541FB6.asc fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl7xaTMACgkQ2m4We49U H7aSmw//XfG81QchyOQUA8UoCUjxJ7B3XRI1xMhpca3YkQ+clKg1/ja7MvjwjvPM kg/wFDhky1xr0BcHSvhtXOuHJiI2PAR2XcMde+1NwKIKYhfhHhs8p+bN6vPj/+Fe vKx0LbOklt5N4CweawlbFOWfeN5xZb94VA9SLtVYgb2cmx/FDcg3VJ1t5beTB3Oh cmo9LDF6DZ1o8n2IbZww/4viS2j/YuPbBBL7OdTF1eAe7aAE68s2/QDgz2n70xJs 1CwsGdQ3g15+mWFFI9okyBqkdUXxiEGsdrXTuD+kZfasYL+v+m5jTZAbtQMlSsAJ +2uFbSbml+JWkzo/BAgIBZFoIhVjL4xEGGboimxQ6bs900+0Rx4Zd9crRXHaure6 9CWBaLW/cqt3ZcWtZZTBKfq7m+0w/+006W2TiQWWi2w9A/10MRWYtD6557Vkmw2d MyTMqsRr2Mx9EC+4JSsLZLYCllz5AcNDPLwBat/Wz8VUdTSBkFTj+F3Ct4F4OPcW JOmmARpv5zNBFho8ljvZuH8BRgACJeRMU7QfFI660KJwbTqdRqqi91iQB9vdqYWF 4rmEZiErBrO3jmVebVQ9TSzeow09lqHX+hBDlcfXRbCMD9Gtn6p3V0mGf5sC+vDn axEEfyDRBxDGIAqL7Avujdi8WlXleSpvCvu8gpGgj69L4G+JArI= =YrUq -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/af079c63-5073-f4f9-d532-bb2fa0984f36%40SvenSemmler.org.
Re: [qubes-users] better solution to configure firewall rules?
On 2020-06-22 16:37, Sven Semmler wrote: Is there a better way for me to import the ranges from https://api.github.com/meta or any other such configuration and import them into a qubes firewall rules? You can add firewall rules from Dom0. I've got a one-liner that will read IPs from a file and add them to the firewall of an AppVM. WARNING, once you edit the firewall rules "manually" from within Dom0, you can no longer edit them from within the GUI. So, I recommend making a copy of your AppVM to test with before running it for real. The script: cat ips.txt | while read line; do qvm-firewall appvm-name add --before 0 accept dsthost=$line; done Where: ips.txt is a text file containing a list of ip addresses, one per line. appvm-name is the name of the AppVM you want to add the rules to. Note that this script will add each IP "before 0" (meaning, at the top of the rule list). Also note that this is set to "accept" connections from all of the IPs. If either of these things is not what you want, you'll need to edit it accordingly. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/03b0ec30-6418-0145-bfc8-e437bd4e5777%4086.is.
Re: [qubes-users] installing qubes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 6/22/20 7:44 PM, 'Jon will' via qubes-users wrote: > I have the OS of my dreams! This is not said nearly often enough! Thanks Qubes Team! /Sven - -- public key: https://www.svensemmler.org/0x8F541FB6.asc fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl7xWCEACgkQ2m4We49U H7bW6g//TQZq3VGHXDGGeCMVbhXHzoRuJ/DgvYtix70JMh9kvjYhgQaw3EzZo/aD IQpmYf7sLFPrjsDu0NHm/oxHv5f5UziLy90W+K4IlF8R9ZRrQVXT8xSscLfP7myo MEVHcirKi8E42XYXPX0Ns3tLRskYhXhhhFYKdPL/Y2VX5HmRR9SqvqmeuJREawZe 3JzjUxBFQqnXvrwuMTQm9Di1OBpSjGUkche9ahPKXj3oG6yp+5ga5MSYmlreNuBc tlhjYfBmQF/aTaLzw57QQajD+uTcGFN9NNuRjZYd5LWjvvTZdsIkiaT4RpsNvDJo A4vx2Qmyze/osrEU5W1KQ9fzmFoK7X96v7suKEmkb0OVS9ff71KNsc82MmUMdBE4 eEv0X8N/6wVsn2Hwq9XSAgjoQNvRfWF//1SFRBYV2aDI29R6tlfe3h8CZIBno5rS NJaVVktZUp8S4U2Y6Z9YIBemiHF/52rccZp9FJx/m06veAmJph00hKBFeY7Jn3W/ JCBf6fMs5zNEUl9xloy/toEVRmMaIJYE/XgHQ7/yOXQuxpd1bY2KKAb95ab1ZSfm RPgXsLWkP7UndrY0oDtZzFvOH+gu2GVO/uvDTDZOWbUJMd04iRX12oXgbYtFDIea Fx17LnpYvn0rfwdp6xaT+4KJocld7oZP3UtW17RHXNj5ncZ0ecc= =3Cqk -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/895155e6-f318-c6e0-f163-d59063bd92b9%40SvenSemmler.org.
Re: [qubes-users] installing qubes
GOT IT! Now the only thing I need to do is get HVMs working and I have the OS of my dreams! Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6ecc3700-a714-d8c0-a54e-887d60741f99%40jonsweb.io.
[qubes-users] "Qubes Architecture Next Steps: The New Qrexec Policy System" by Marek Marczykowski-Górecki & Marta Marczykowska-Górecka
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, A new article has just been published on the Qubes website: "Qubes Architecture Next Steps: The New Qrexec Policy System" by Marek Marczykowski-Górecki & Marta Marczykowska-Górecka https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/ The original Markdown source is included below: - --- layout: post title: "Qubes Architecture Next Steps: The New Qrexec Policy System" categories: articles author: Marek Marczykowski-Górecki, Marta Marczykowska-Górecka - --- This is the second article in the "What's new in Qubes 4.1?" series. You can find the previous one (about GUI Domains) [here](https://www.qubes-os.org/news/2020/03/18/gui-domain/). While the introduction of GUI domains is a big, singular feature, the changes to qrexec are more complex and varied --- but also very important. ## What is qrexec? You might have been using Qubes for a while and never encountered the word "qrexec," but it is one of the crucial components in the system. Qubes provides isolation and compartmentalization. Separate qubes are separate worlds, and what the user does in one qube should not impact another qube. That is, of course, not realistic. In the real world, we often need and want to do things like copying and pasting, sending files, routing internet traffic, and simply synchronizing the time. This is where qrexec comes in: It is an RPC (remote procedure call) mechanism that allows one qube to do something inside another qube. Of course, allowing everything all the time would be extremely dangerous. Thus, a part of qrexec called "qrexec policy" is also used to enforce who can do what and where. Furthermore, we want to be able to audit what was done, and this is provided with the logging capabilities of qrexec. The *how* is controlled by qrexec services, which are executed by qrexec and also must be designed in a secure and resilient way. This post focuses mainly on qrexec itself, but qrexec services will make a brief appearance. ## Overview of changes *Most of this post will be very technical. If you don't care about writing your own qrexec policies and services, feel free to just read this overview.* Before we get into nitty-gritty technical details, here's a brief, less technical overview of Qubes 4.1 qrexec changes and what they mean for users and developers: - A new qrexec policy format. (The old format is still supported, but the new one is very much superior, allowing for easier-to-read policies, more qube-centered customization, better auditing, and more.) - Big performance improvements: bigger data chunk sizes for faster transfers of large amounts of data, qrexec policy daemon for faster policy evaluation and call setup, resulting in up to seven-fold faster qrexec service calls. - Support for socket services: better performance for services that can use a socket-based implementation with significantly faster setup and connection times. - Policy notifications that make any abnormal behavior easier to detect and any problems resulting from incorrect permissions easier to solve. There is one other big upcoming change (which is not yet fully implemented and will arrive after Qubes 4.1): We are working on a qrexec policy API, that is, a set of qrexec services that will allow for managing qrexec policies without manually editing policy files. It's another step toward separating the user from dom0 and protecting the vulnerable system internals by isolating them from the outside world to the greatest extent possible. ## New policy format In Qubes 4.0 and earlier, policies were stored as multiple files, one for each service. While changing permissions for a single action was easy, managing permissions for an entire qube was very cumbersome. The new Qubes 4.1 policy format completely overhauls this approach and introduces several convenience features to make policy management easier and more secure. What if you've already spent time carefully crafting your policies in Qubes 4.0? Don't worry. The old policy format will still be supported until at least Qubes 5.0. You can find details of the development of the new policy format [here](https://github.com/QubesOS/qubes-issues/issues/4370). ### Policy files The biggest difference between the old and new policy formats is that, under the new format, the entire policy is a single entity. It is not divided into separate, per-service fragments. While it can be stored in multiple files located in multiple places, the files are equivalent, and each can describe policies for multiple services. In other words, we are moving from a set of tables to one big, flat table. The policy files, stored previously in `/etc/qubes-rpc/policy/`, are now located in `/etc/qubes/policy.d/`. Furthermore, each file must have a `.policy` extension, and any temporary files will no longer cause issues. Under the old format, there were dozens files: ``` /etc/qubes-rpc/policy/ ├─
[qubes-users] Mounting Network Shares
Hi When I mount a samba share, if it matters from where I will share, inside an AppVM the mount is mounted, I suspect, as 'user'. Yes root is doing the mount, but I think the user that is used to connect to the network share is the uid of the logged in user which is by default user and I don't think that can be changed. If I need to mount the network share as user xyz, because user xyz has certain permissions, is there a way to do that? Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fd810637-e399-cff4-3bba-20e51b357d03%40ak47.co.za.
[qubes-users] better solution to configure firewall rules?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, I find myself manually entering the IP ranges from https://api.github.com/meta into the firewall rules of my 'dev' qube. Obviously this is tedious. Is there a better way for me to import the ranges from https://api.github.com/meta or any other such configuration and import them into a qubes firewall rules? /Sven - -- public key: https://www.svensemmler.org/0x8F541FB6.asc fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl7xJKwACgkQ2m4We49U H7bWAxAAwFuxVTsmDAoULxP9aFEkia28S7XI6pCG4T5IOJ76DorQwHTcQn2cSEF2 +lI+Gn2YCy0J+f+4op3cqS1dfLgjY1nO1oX+BbVV0MSFqzIdepmEpyh1N+JEBlWU nxW5g7ywONDOBgbGn8AkF+OQ7beNoX4yKmBnJaRtdOGluXH2SlOd0HOUV1COsqEM vJoRj7vfCQOs/YmNO5BGGFQZqof/61VqPCnpg9/5fMoXBrUDIvqLcxiH0qA3bXCz gfI/rlaPPFJPgZZZ6AlmHRp4sBRhsjJtXAc2DfHA8BgwSI4czlFUCfujPgA6Qtp5 6hYZuv39rzaX5P9vb5UdjRSAyxWyJlW7AdS1yPG01qEjNBnWbi3hCiCRQM1Mt4E1 weg315JZiPmCrl4KMjHXcqcmVNcPaL/J7nCqXJ4eGHh2o7B8XfpbEn7ZOrxdek+z w4nZi23fdXLikfdi5Bz9uoRQouUjsCt8FwYK60J9atnf0QuCupH2pNMnfy1/8E3V Aa44MH4EVXUcUkggcsBPIsLtD9yOR0ZORLDW0Gcp/Y/Er7Bd5vj3NXWspPL0Bm0j GZnnW1FvpwyCsgyUfZw/V427wbzDI83NHVnHUVGFZnzcuXyw/I/aTMK5/WAANyya 5mHZ8+NfvAA9r3rSDVnKwpf34NpTeAYCFxUTIuNS53Z7GezB/uA= =BZho -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dc8e4b7a-d601-6954-0636-228a33b335a7%40SvenSemmler.org.
[qubes-users] How to split into two gateways
Hey guys, I'm working on my 2nd qubes machine but this task I could never figure out on the first one to begin with. Can someone please tell me if you were able to achieve the following? - Have two NICs handling two separate sys-net - Behind each sys-net their own firewall - behind the firewalls their own set of VMs. I was able to handle the firewall rules and everything else but I cannot make it work to have 2 sys-net each handling a NIC separately. Can someone please tell me step by step how you achieved that? Thanks a bunch Matt -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/Eu0jDbf7v-N2lymh-uLget7fmUNSrq9tiI9Z_KRLVt0ROmb306D9dQefNzg8L21Jbmq-t6XC6SuktToMOs1iPP1Z-7Op2xAqyF1L_lYWjBQ%3D%40pm.me. publickey - mattdrez@pm.me - 0x8196D0F4.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Debian10 - Reading From Proxy Failed
On Mon, Jun 22, 2020 at 04:54:18PM +, 'Matt Drez' via qubes-users wrote: > Reading from proxy failed - read (104: Connection reset by peer) [IP: > 127.0.0.1 8082] try ... qrexec-client-vm '$default' qubes.UpdatesProxy ... and/or ... (echo -e 'GET http://google.com/ HTTP/1.1\n\n' ; sleep 5) | qrexec-client-vm '$default' qubes.UpdatesProxy -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200622175152.GB137863%40priv-mua.
[qubes-users] Debian10 - Reading From Proxy Failed
Hey guys, I'm working on my 2nd Qubes machine and this one is giving me a hell of a ride. My debian based templates no longer updating. It did work after the fresh install but during setting things up at some point it stopped. I'm not sure at what step so I couldn't backtrack. Fedora 31 still works but not debian. I tried reinstalling it (`sudo qubes-dom0-update --action=reinstall qubes-template-package-name)`but that made no difference. I tried adding all the Services under settings that had 'proxy' in their name but that didn't work either. Any ideas how to fix it? Please, see outputs below user@debian-10:~$ sudo apt update Err:1 https://deb.qubes-os.org/r4.0/vm buster InRelease Reading from proxy failed - read (104: Connection reset by peer) [IP: 127.0.0.1 8082] Err:2 https://deb.debian.org/debian buster InRelease Reading from proxy failed - read (104: Connection reset by peer) [IP: 127.0.0.1 8082] Err:3 https://deb.debian.org/debian-security buster/updates InRelease Reading from proxy failed - read (104: Connection reset by peer) [IP: 127.0.0.1 8082] Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. W: Failed to fetch https://deb.debian.org/debian/dists/buster/InRelease Reading from proxy failed - read (104: Connection reset by peer) [IP: 127.0.0.1 8082] W: Failed to fetch https://deb.debian.org/debian-security/dists/buster/updates/InRelease Reading from proxy failed - read (104: Connection reset by peer) [IP: 127.0.0.1 8082] W: Failed to fetch https://deb.qubes-os.org/r4.0/vm/dists/buster/InRelease Reading from proxy failed - read (104: Connection reset by peer) [IP: 127.0.0.1 8082] W: Some index files failed to download. They have been ignored, or old ones used instead. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/oc62lm7GAsIDTbNVTPhIByH3Zz4PWZZCrzxHBnwX7z6Z1cc315hjfupXdDt3OEvHFrFQL9aX_VsRZfjaVTIIY7bDRW5LXKVA6eoQ0dVlYLw%3D%40pm.me. publickey - mattdrez@pm.me - 0x8196D0F4.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Weird Windows Install Error
> It's not an uncommon error. > Try the obvious - go in to the qube settings, and change VCPU to Thanks. That helped to install it but I'd like to run it with more than one core. Do you have a solution for that? It's still a BSOD after install if I try to give more than one core. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/MgPdZMXIw1SZfV5Mh2-KfRr1IPWcE6KVQ3v-u5DFLERBmdB8RM0Uz7DdlpHCRmna4tqFoN6eHDDO1NK1OzsWY887usQg80KR1qWwb5Ny2wM%3D%40pm.me. publickey - mattdrez@pm.me - 0x8196D0F4.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [qubes-users] qubes installation problem on MS-16R3
> I'm having this installation issue when trying to Install Qubes on a MSI > Laptop Can we get a little more info on the laptop? CPU, GPU, etc. > [image: qubes_error.png] > How should I find out how to continue the installation (if there is any > chance) ? Could you provide output of `dmesg` in a terminal while installing? (ctl-alt-f2 for TTY2) Also have a look at the logs in `/tmp/` and `/var/log/`, specifically the Xorg logs. If you need to get a file off, the installer will detect and allow you to mount another USB drive to copy them to. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1440cb55-a5ca-c8a7-39c2-eb16520e9252%40undef.tools.