[qubes-users] Re: (is Eluktronnics a) Good choice laptop for Qubes?

2016-11-09 Thread raahelps
On Tuesday, November 8, 2016 at 2:14:36 AM UTC-5, Dave C wrote:
> I'm looking to upgrade my laptop and get something suitable for Qubes 4.  A 
> search for laptops with large RAM led me to Eluktronics brand.  It gets good 
> ratings on amazon, but I have not seen it mentioned here.
> 
> Here is (I believe) their smallest model, and if I understand correctly it 
> meets the reqs of Qubes 4:
> 
> https://www.amazon.com/dp/B01E3Q0K24/ref=psdc_13896615011_t3_B01G1JT7QG?th=1
> 
> The CPU: 
> http://ark.intel.com/products/88967/Intel-Core-i7-6700HQ-Processor-6M-Cache-up-to-3_50-GHz
> Qubes 4.x reqs: 
> https://www.qubes-os.org/news/2016/09/02/4-0-minimum-requirements-3-2-extended-support/
> 
> I thought it wise to ask here before ordering... Am I missing something that 
> makes it not a good choice?
> 
> I've read elsewhere 
> (http://www.onebigfluke.com/2016/10/alternatives-to-apple-computers.html) 
> about the importance of Thunderbolt 3, which I believe the model I link to 
> does not have.  But honestly I don't know the ins and outs of what hardware 
> makes a laptop the best choice.  I'm looking for a lightweight laptop that 
> offers high bang for buck.  And of course will work perfectly with Qubes.
> 
> Any strong opinions here about the Eluktronics brand specifically?  Or Qubes 
> laptop advice in general?  Thanks!
> 
> -Dave

oh u right u can look at manual see if it has a diagram of mobo.  But I didn't 
check if it has ps/2 port if it does can one assume the laptops keyboard is 
also ps/2?  I'm not 100%.  I would think so though.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/016bc9cc-d7e7-44a8-9145-cf3517d9f416%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: (is Eluktronnics a) Good choice laptop for Qubes?

2016-11-09 Thread raahelps
On Wednesday, November 9, 2016 at 11:17:10 AM UTC-5, martinsp.qubes wrote:
> On 09-11-2016 01:59, raahe...@gmail.com wrote:
> > On Tuesday, November 8, 2016 at 2:14:36 AM UTC-5, Dave C wrote:
> >> I'm looking to upgrade my laptop and get something suitable for Qubes 4.  
> >> A search for laptops with large RAM led me to Eluktronics brand.  It gets 
> >> good ratings on amazon, but I have not seen it mentioned here.
> >>
> >> Here is (I believe) their smallest model, and if I understand correctly it 
> >> meets the reqs of Qubes 4:
> >>
> >> https://www.amazon.com/dp/B01E3Q0K24/ref=psdc_13896615011_t3_B01G1JT7QG?th=1
> >>
> >> The CPU: 
> >> http://ark.intel.com/products/88967/Intel-Core-i7-6700HQ-Processor-6M-Cache-up-to-3_50-GHz
> >> Qubes 4.x reqs: 
> >> https://www.qubes-os.org/news/2016/09/02/4-0-minimum-requirements-3-2-extended-support/
> >>
> >> I thought it wise to ask here before ordering... Am I missing something 
> >> that makes it not a good choice?
> >>
> >> I've read elsewhere 
> >> (http://www.onebigfluke.com/2016/10/alternatives-to-apple-computers.html) 
> >> about the importance of Thunderbolt 3, which I believe the model I link to 
> >> does not have.  But honestly I don't know the ins and outs of what 
> >> hardware makes a laptop the best choice.  I'm looking for a lightweight 
> >> laptop that offers high bang for buck.  And of course will work perfectly 
> >> with Qubes.
> >>
> >> Any strong opinions here about the Eluktronics brand specifically?  Or 
> >> Qubes laptop advice in general?  Thanks!
> >>
> >> -Dave
> >
> > I never heard of this brand.
> > couldn't find a manual for that model but found this one.  
> > http://www.eluktronics.com/content/Manuals/P6x0RS%28G%29/P6x0RS-G_Manual.pdf
> >   Vt-d is enabled by default it looks like from the picture so thats a good 
> > sign.  Thats the most important thing to look for.  It also has tpm.
> >
> > only thing I would question is if the keyboard is ps2 controller, which I'd 
> > recommend.
> >
> 
> This looks like a rebranding of a Clevo model; found this site on this 
> side of the pond (Portugal) which have a similar model:
> 
> https://www.obsidian-pc.com/en/clevo-p640rf-laptop.html
> 
> You can have it with Elementary OS installed, so they may be mostly 
> compatible with Linux. Probably can ask them if really interested.
> 
> Never bought anything from them or knew them before so cannot vouch for 
> anything related to them; just FYI.
> -- 
> Pedro Martins

are you sure its not the other way around?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f3b353a7-2c71-4980-93db-53007ec73e20%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [feature request] Shutdown template after update

2016-11-09 Thread raahelps
I hope I'm not too offtopic but a gui option to shut down multiple vms at once 
would be cool. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ea416e8b-ae11-4fa6-ba0f-3d6c0d19404b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Secure Browsing - browserless?

2016-11-09 Thread raahelps
On Wednesday, November 9, 2016 at 4:20:06 PM UTC-5, '17'41783'10'4321^14''4389 
wrote:
> Hello,
> 
> no browserless - means you have no HTML at all any more!
> 
>Qt Banking-Portal
>  |
> Screensharing App (bank)
>|
>QubesOS (as a Secure Endpoint of the Bank)
>   |
> HW Firewall
>   | (web)  
> HW Firewall
>   |
>QubesOS (as a Secure Endpoint)
> |
> Screensharing App (me)
> 
> The screensharing has an very strong encryption enabled, so als long my 
> Endpoint is save and I assume that the banking-security is fine - I have now 
> no flaws from the browser technologies.
> 
> The browsers are a very nice sweet target - very complex, comercial, always 
> changing, too much featues, very convienient and make us lazy - nobody is 
> asking about the browser security...
> 
> But do I really need HTML to do some bank-transfer - by or sell shares or 
> other financial stuff?
> 
> For me not - but I don't like if money begins to leak out...
> 
> And today the bank is only half a bank - 50% is the online banking portal and 
> this means today: HTML
> 
> Why?
> 
> I don't know...
> 
> Kind Regards

with qubes browser is not as pressing cause you separate tasks with diff vms.  
Use as many vms as your memory can handle imo lol.   It sounds crazy to people 
at first but you get more used to it.   For example you can use a vm for only 
going to a single website all the time.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/db48d3ca-2ff5-4562-8af4-ce9b5a03%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Encrypted Secondary Drive? (is it? Is it needed?)

2016-11-09 Thread raahelps
I have an external usb drive I use as a backup I encrypted even though qubes 
backups is encrypted. its so very easy.  why not? I don't think it can hurt, 
can it?

Pretty sure I did it right from the file manager.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ed4f1340-2797-4d34-b062-f118675b576e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing Windows 8 as a Standalone VM

2016-11-09 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Nov 09, 2016 at 04:16:24PM -0800, Andrew David Wong wrote:
> On 2016-11-08 09:54, Jillian Turner wrote:
> > Hello. In the past I have installed Windows 7 following the instructions 
> > found on the website with no problems. Windows tools worked fine as well. I 
> > now want to do the same with Windows 8.
> > 
> > I assume since its just an ISO the install should fine, but my concern is 
> > with Windows Tools. Has anyone gotten Windows 8 to work successfully with 
> > Windows Tools. My utmost concern is the ability to copy/paste from Qubes 
> > VMs, this has been very useful and I would like do the same in Windows 8 as 
> > well.
> > 
> > I'm also not stuck on Windows 8, if others have achieved the same 
> > functionality with Windows 10 as well that works for me, I have no problems 
> > using Windows 10 instead.
> > 
> > -jt
> > 
> 
> Qubes Windows Tools for Windows 8, 8.1, and 10 are still in development:
> 
> https://github.com/QubesOS/qubes-issues/issues/1861

It's unlikely to be implemented soon. The problematic component is GUI
agent. But just curious - have anyone tried installing Qubes Windows
Tools on Win 8/8.1/10 but excluding GUI agent there? There is some
chance for it to just work there.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYI8U2AAoJENuP0xzK19cslKIH/3nAPn9GbsmzmeA/RvRhDrEU
HNYyDdexRKjiU+pu1GNItc4AqsClcC0+DiOdIaC55Wet6sImiTw/eXAGmzn/7n28
AdNQ1ADVVJlWc1n5YlmzeHGBK2Eg3pq9F7nGELUGklUPzalOHGu0Dh1RIsSnDxTS
sem9+Cwo/NdfiMEE1vMTUTxTAvp7dik+Iul8wau0jG60/rrlm52cOTbOtkgud+TH
OweUOLq10Ah9ugp9p+54U7fVh/vHbR7h1ZMVjoU0L52GS8GHH5TjHJJJeeDh7FAv
rWATb2fjNhQRjTyp+0k/vRhLYGIedbQ/8VbAP3PV/3gS4ylEG98yxNmfgJX64zo=
=nPbF
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161110005414.GY7073%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing Windows 8 as a Standalone VM

2016-11-09 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-08 09:54, Jillian Turner wrote:
> Hello. In the past I have installed Windows 7 following the instructions 
> found on the website with no problems. Windows tools worked fine as well. I 
> now want to do the same with Windows 8.
> 
> I assume since its just an ISO the install should fine, but my concern is 
> with Windows Tools. Has anyone gotten Windows 8 to work successfully with 
> Windows Tools. My utmost concern is the ability to copy/paste from Qubes VMs, 
> this has been very useful and I would like do the same in Windows 8 as well.
> 
> I'm also not stuck on Windows 8, if others have achieved the same 
> functionality with Windows 10 as well that works for me, I have no problems 
> using Windows 10 instead.
> 
> -jt
> 

Qubes Windows Tools for Windows 8, 8.1, and 10 are still in development:

https://github.com/QubesOS/qubes-issues/issues/1861

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYI7xaAAoJENtN07w5UDAwEWMP/2UNbOLts8BImi5bZUsAVCte
xWYKTpsTyWEwFDaOFmGd3zRKiFhHwLtF7MK6HnjCZdErqvE/WxVrUIT5WzKgHyhG
ASdtWBIJEC9qYTG1Lm7hv4qMs81e0m2nrpILnpFOftRlrn+7fsnNxoGrXbb19umF
he0LLc2ttnEHCIKC7ME0KtwpLiossGWu+9fmPWB/PwQzHzl+bEoLcQGNUQ8n+yq1
/K/Tg+Yfu7CGs7imxvI604qoRazeoo2MZizjPZU8me3deJ01D/xpXLZk6loZFtoJ
LwOtiZvVM5705NPcGTMQQuMPOraoL9TbDNg9RmFOWKFObNaUZ0nD8RMm1YrfaiVu
cN5g/nL3Q2WgxUjO6UjQ7EuflIn14wRdThpI4qrtiyCPqz8q3qAN96G4ySWwypxP
dGJR+hvT06xax30N9KBXTN6JSxUoNgHXmJHss5L38ayQ9dexMo4eu5krNvfP3IYU
oSUjlwgq1vmXfzb9wYK19XBpwzqi2j5zP4KDzFFXUenygW6uD5icyiJxmNE3buxr
Q/VkbquVCDJ72sH9JWfs4uM3m4dH2EfvXguu76ygRim+oVk+Q7aXVk/39FTwG4ed
xUE/aJoqoaMBJW8xEMM3BMoP90yIVkm9YTn4qe/sRxf60L0w8tPXQ+8CR6hC8M5L
MabfibdaC0Rb2XpwcvdA
=IGIx
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1769ca47-5e36-0b91-5fe5-2f730414be90%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [feature request] Shutdown template after update

2016-11-09 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Nov 08, 2016 at 10:37:02PM +0100, Achim Patzner wrote:
> Am 08.11.2016 um 12:31 schrieb Andrew David Wong:
> > >>> After template updated ask user at the console to shutdown current
> > template.
> > >>
> > >>> "Shutdown current template [Y/n]"
> > >>
> > >> Currently tracking a very similar suggestion here:
> > >>
> > >> https://github.com/QubesOS/qubes-issues/issues/832
> >
> > > Wouldn't a command-line tool qvm-update-template [--all]
> > > [--shutdown-after-upgrade] [, ]* be much more
> > flexible?
> >
> > Yes, but I don't think the primarily goal of that ticket is flexibility.
> > Rather, I think it's to implement a quality-of-life feature that will
> > benefit users generally, including novice users who never touch the
> > command-line.
> 
> Maybe I should have added the (obviously in my eyes obvious) argument:
> The current update-procedures are launched by a GUI-application and then
> open a window that is asking questions which need keyboard interaction.
> And in some cases the default answer (at least in Fedora) (which is
> making things worse – at least the default Xterm is looking different
> for Fedora and Debian) is not what you want. Or at least not what I want
> (aborting the update). Now someone wants to add another bloody
> interactive option that will require at least me to select the
> non-default option.

I'd like to change this default - indeed it is very confusing, but I
don't know how. The only related option is to accept automatically.
Maybe this is the way to go?
Personally I like to review list of packages to be updated, but I guess
most users don't do that.

> No. Thank you very much, but no. If someone is making things even more
> like a text adventure they could just as well do it right, make the
> update process command line based and give up interactive decisions in
> favor of command line parameters to finally deliver a launch-and-forget
> solution. That could be easily scripted without opening that barrel of salt.

I think it's important to give the user some feedback. Fully automated
updates are somehow broken in most tools[1] - this is why we have this
terminal window, instead of just some progress bar or something even
less intrusive.
But automatically shutting down the template (after user have a chance
to see update feedback) is a good idea. Something like "Press enter to
shutdown template, or Ctrl-C to just close this window".

[1] https://phabricator.whonix.org/T373

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYI7A9AAoJENuP0xzK19cslx4H/3JFzlpcZZxatNmBjcB9Fuuf
gOgWK5iG8ql1ekKKYvGldOatjw3+c9pYGtY/u3jZTF5lrdifMO5kh1cbsnJ9EYJ8
Z7bjJ07Xa/3Now3fxfznBhe5tKpi+q6SqNjiGXNuSkZyoZqMfH+z1Zlv4FYXlft1
FlD5HpID7zJt90EAJVgQ5S1JAnDA++jmJDvIR/04H/LBiyCzJRrWw/4tctotzbOL
wQa1pEa79Fz2fuw5UlWvkcGRMXR9H+Yu+oAJ0+TO/ObwGrSfwlqcOqg/qSNjFIm6
PAfxPM2iGuL/B0oRVi8ST2Zb50LLa5K5k2jCk8WGdBv2RisXMrXh2sJkLspwxeM=
=dI89
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161109232445.GW7073%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Secure Browsing - browserless?

2016-11-09 Thread '17'41783'10'4321^14''4389
Hello,

no browserless - means you have no HTML at all any more!

   Qt Banking-Portal
 |
Screensharing App (bank)
   |
   QubesOS (as a Secure Endpoint of the Bank)
  |
HW Firewall
  | (web)  
HW Firewall
  |
   QubesOS (as a Secure Endpoint)
|
Screensharing App (me)

The screensharing has an very strong encryption enabled, so als long my 
Endpoint is save and I assume that the banking-security is fine - I have now no 
flaws from the browser technologies.

The browsers are a very nice sweet target - very complex, comercial, always 
changing, too much featues, very convienient and make us lazy - nobody is 
asking about the browser security...

But do I really need HTML to do some bank-transfer - by or sell shares or other 
financial stuff?

For me not - but I don't like if money begins to leak out...

And today the bank is only half a bank - 50% is the online banking portal and 
this means today: HTML

Why?

I don't know...

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/df0248c5-bb61-4856-b8cf-45c23b9dc541%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Trouble with enabling networking between two Vms

2016-11-09 Thread Max
On Thursday, 27 October 2016 23:48:28 UTC+8, Max  wrote:
> On Monday, 24 October 2016 08:30:28 UTC+8, Unman  wrote:
> > On Sun, Oct 23, 2016 at 02:11:48AM -0700, Max wrote:
> > > Hi,
> > > 
> > > I am a new user of Qubes OS so apologies in advance if the question here 
> > > has been answered already in a separate topic (there are similar issues) 
> > > and I haven’t discovered this or it is not one suited to this mailing 
> > > list. I am running Qubes 3.2 and attempting to ping from one VM to 
> > > another VM, specifically from a Standalone Windows 7 VM to a Qubes VM 
> > > based on the Debian 8 template.
> > > 
> > > All my VM’s were initially connected in the default manner i.e. to a 
> > > sys-firewall and through to the sys-net VM, both of which are Fedora 23. 
> > > There are no firewall rules on these VMs restricting which IP addresses 
> > > can be accessed.
> > > 
> > > Current status:
> > > - I am able to ping from my Windows 7 VM (10.137.2.19) to the Firewall VM 
> > > (10.137.1.8) using the IP address visible in the VM Manager
> > > 
> > > - I am unable to ping the Debian 8 VM (10.137.2.18) from my Windows VM. 
> > > 
> > > Steps taken:
> > > 1) I followed the instructions here 
> > > (https://www.qubes-os.org/doc/qubes-firewall/#enabling-networking-between-two-vms)
> > >  and in the firewall VM’s terminal enter the following iptables rule...
> > > 
> > > sudo iptables -I FORWARD 2 -s  -d  > > of Debian 8 VM> -j ACCEPT
> > > 
> > > … In VM B’s terminal (Debian 8) I entered the following iptables rule...
> > > 
> > > sudo iptables -I INPUT -s  -j ACCEPT
> > > 
> > > ...but from here when using the ping function to my Debian 8 VM in the 
> > > cmd prompt in Windows, all packets were lost.
> > > 
> > > 2) As this was not successful I attempted to see if I could connect to 
> > > VMs from an external machine and followed the instructions here 
> > > https://www.qubes-os.org/doc/qubes-firewall/#port-forwarding-to-a-vm-from-the-outside-world.
> > > 
> > > The Eth0 IP address (192.168.1.6) appeared to be what I should expose the 
> > > service to.
> > > 
> > > I put the below rule in the sys-net VM’s Terminal...
> > > 
> > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.x.x 
> > > -j DNAT --to-destination 10.137.1.x
> > > 
> > > ...and this rule into the sys-firewall VM’s Terminal
> > > 
> > > iptables -I FORWARD 2 -i eth0 -d 10.137.1.x -p tcp --dport 443 -m 
> > > conntrack --ctstate NEW -j ACCEPT
> > > 
> > > But using ping or Telnet resulted in lost packets and failed to increase 
> > > the counters when using the iptables -t nat -L -v -n command in the 
> > > sys-firewall VM's terminal.
> > > 
> > > 3) With this not being successful either I attempted to add a “sys-proxy” 
> > > VM as described here 
> > > https://groups.google.com/forum/#!searchin/qubes-users/intervm%7Csort:relevance/qubes-users/lA2SgPcV9fU/U969uapYAAAJ
> > >  and entered the following in the new sys-proxy VM's terminal:
> > > 
> > > iptables -I FORWARD 1 -i vif+ -o vif+ -s $intervm_internalnet/24 -d 
> > > $intervm_internalnet/24 -m state --state NEW -p tcp -m tcp -j ACCEPT
> > > 
> > > iptables -I FORWARD 1 -i vif+ -o vif+ -s $intervm_internalnet/24 -d 
> > > $intervm_internalnet/24 -p udp -m udp -j ACCEPT
> > > 
> > > After this, I was still unable to ping the Debian 8 VM from my Windows VM.
> > > 
> > > Questions:
> > > 
> > > 1) Are there any obvious errors in the steps I took and does anyone have 
> > > any suggestions how I can resolve this issue?
> > > 
> > > 2)  There are a number of other incidences of what seemed to be a similar 
> > > issue here: 
> > > https://groups.google.com/forum/?nomobile=true#!msg/qubes-users/59kOjfQFBI4/bjS47-jJJgAJ,
> > >  
> > > https://groups.google.com/forum/#!msg/qubes-users/vSyUaOSloYU/ONZNJlhrBAAJ.
> > >  Are the enabling networking between VMs steps described here still 
> > > correct and applicable for Qubes 3.2?
> > > 
> > > 3) The IP address assignment suggests that the VMs are on the same 
> > > network – the Subnet Mask is 255.255.255.0 so surely any devices with an 
> > > IP address of 10.137.2.x would be able to communicate with each other? 
> > > What is unique in Xen / Qubes that stops this?
> > > 
> > > 4) Is there a way in which the current routing rules can be displayed and 
> > > reset back to the default if required?
> > > 
> > 
> > Hi Max,
> > 
> > I would make sure the basics work before moving on.
> > 
> > 1. You haven't allowed return traffic from the Debian qube.
> > Put in an ACCEPT FORWARD rule as you have with source and destination
> > reversed.
> > 
> > The rules you have entered to allow forwarding are for traffic to port
> > 443. You don't seem to have either ping (icmp) or telnet(tcp port 23)
> > enabled.
> > 
> > These look like obvious mistakes.
> > 
> > 2) Yes, I believe the instructions are still correct.
> > 
> > 3) qubes are connected through a netvm - the default firewall rules
> > there prohibit traffic between qubes connected 

Re: [qubes-users] Display Calibration

2016-11-09 Thread Connor Page
darktable and firefox can use a defined profile without colord. the profile has 
to be in a specific place and selected as the display profile (with colord 
option switched off). for firefox the full path to the profile should be 
entered in some property that I don't remember exactly right now but it starts 
with "gfx". the rendering intent and colour management mode is set there as 
well. those are documented by Mozilla, you need to google what those codes 
actually mean.

I never found the time to write my own guide but I could possibly review or 
contribute to yours. sorry I can't be more specific as I'm travelling without 
my qubes laptop now.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3b0601c1-7142-4e42-a903-804b6785ab22%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Encrypted Secondary Drive? (is it? Is it needed?)

2016-11-09 Thread gaikokujinkyofusho
On Wednesday, November 9, 2016 at 10:25:47 AM UTC-5, Desobediente wrote:
> If you just want to move files in the old fashion way and not entire AppVM in 
> the sense that the AppVMs should remain in the original drive, in other 
> words, if you want to be able to remove the other hard drive from the system 
> and will useit mainly for storage of large files,
> 
> 
> then the answers are more questions:
> 
> 
> is your qubes system encrypted?
> do you need the files to be encrypted?
> 
> 
> If you are willing to accept common knowledge as advice, then yes, you shall 
> encrypt everything every time, unless there are reasons not to. For example, 
> encrypted disks will make data unavailable to data recovery for an obvious 
> reason. If the data is not sensitive and it should remain forever 
> recoverable, that could be a reason not to encrypt data, but that is one 
> exception of the above rule.
> 
> 
> Anyway, if this is your case, it should be simple as attaching the disk into 
> any AppVM and running the GNOME Disks application. I'm not sure what's the 
> name of that in the KDE and XFCE desktops, but i know that if you call it via 
> terminal, it's gnome-disks.
> 
> 
> From there it should be straightforward, but there is this tutorial in the 
> Tails website if you want: 
> https://tails.boum.org/doc/encryption_and_privacy/encrypted_volumes/index.en.html

In the future I would probably store large files (or collections of large files 
like music) but for now I had in mind at least storing some of my templateVM 
copies as I have a backup copy of each template (and the WinHVM is taking up an 
esp large amt of space). 

As for my Qubes system, its def encrypted, that part I am sure of.

My general thought is, better to be safe than sorry. The exception I could 
think of is if I had short-term bkups (I do "long term" bkups on an ext drive) 
on this drive they are encrypted but most everything else I figure, why not 
encrypt? 

So gnome-disks, I think that will be pretty straight forward, but when I want 
to open it I'd have to go to a VM -> file manager and enter a passwd everytime 
... I think? (trying to wrap my head around this). If I wanted something a bit 
automatic like the https://www.qubes-os.org/doc/secondary-storage/ option, is 
there a way the drive could automatically be mounted/decrypted so that template 
backups could be accessed (and updated, wouldn't want out of date templates).

Thx!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f38bf403-1253-49e9-a46a-267b1b3b43db%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: (is Eluktronnics a) Good choice laptop for Qubes?

2016-11-09 Thread Pedro Martins

On 09-11-2016 01:59, raahe...@gmail.com wrote:

On Tuesday, November 8, 2016 at 2:14:36 AM UTC-5, Dave C wrote:

I'm looking to upgrade my laptop and get something suitable for Qubes 4.  A 
search for laptops with large RAM led me to Eluktronics brand.  It gets good 
ratings on amazon, but I have not seen it mentioned here.

Here is (I believe) their smallest model, and if I understand correctly it 
meets the reqs of Qubes 4:

https://www.amazon.com/dp/B01E3Q0K24/ref=psdc_13896615011_t3_B01G1JT7QG?th=1

The CPU: 
http://ark.intel.com/products/88967/Intel-Core-i7-6700HQ-Processor-6M-Cache-up-to-3_50-GHz
Qubes 4.x reqs: 
https://www.qubes-os.org/news/2016/09/02/4-0-minimum-requirements-3-2-extended-support/

I thought it wise to ask here before ordering... Am I missing something that 
makes it not a good choice?

I've read elsewhere 
(http://www.onebigfluke.com/2016/10/alternatives-to-apple-computers.html) about 
the importance of Thunderbolt 3, which I believe the model I link to does not 
have.  But honestly I don't know the ins and outs of what hardware makes a 
laptop the best choice.  I'm looking for a lightweight laptop that offers high 
bang for buck.  And of course will work perfectly with Qubes.

Any strong opinions here about the Eluktronics brand specifically?  Or Qubes 
laptop advice in general?  Thanks!

-Dave


I never heard of this brand.
couldn't find a manual for that model but found this one.  
http://www.eluktronics.com/content/Manuals/P6x0RS%28G%29/P6x0RS-G_Manual.pdf  
Vt-d is enabled by default it looks like from the picture so thats a good sign. 
 Thats the most important thing to look for.  It also has tpm.

only thing I would question is if the keyboard is ps2 controller, which I'd 
recommend.



This looks like a rebranding of a Clevo model; found this site on this 
side of the pond (Portugal) which have a similar model:


https://www.obsidian-pc.com/en/clevo-p640rf-laptop.html

You can have it with Elementary OS installed, so they may be mostly 
compatible with Linux. Probably can ask them if really interested.


Never bought anything from them or knew them before so cannot vouch for 
anything related to them; just FYI.

--
Pedro Martins

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0775ea16-7446-fc60-7513-c470da3eca09%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Encrypted Secondary Drive? (is it? Is it needed?)

2016-11-09 Thread Desobediente
If you just want to move files in the old fashion way and not entire AppVM
in the sense that the AppVMs should remain in the original drive, in other
words, if you want to be able to remove the other hard drive from the
system and will useit mainly for storage of large files,

then the answers are more questions:

is your qubes system encrypted?
do you need the files to be encrypted?

If you are willing to accept common knowledge as advice, then yes, you
shall encrypt everything every time, unless there are reasons not to. For
example, encrypted disks will make data unavailable to data recovery for an
obvious reason. If the data is not sensitive and it should remain forever
recoverable, that could be a reason not to encrypt data, but that is one
exception of the above rule.

Anyway, if this is your case, it should be simple as attaching the disk
into any AppVM and running the GNOME Disks application. I'm not sure what's
the name of that in the KDE and XFCE desktops, but i know that if you call
it via terminal, it's gnome-disks.

>From there it should be straightforward, but there is this tutorial in the
Tails website if you want:
https://tails.boum.org/doc/encryption_and_privacy/encrypted_volumes/index.en.html

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAF0bz4QrCiaYOuV-E5Okemqrb75uxNGqtVQba9fAcuC7F3sH2g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Leak Problems with VPN ProxyVM + AirVPN & Network lock

2016-11-09 Thread Chris Laprise

On 11/09/2016 08:46 AM, SEC Tester wrote:

I've considered leaving network lock off, and building my own custom IP Tables, 
or firewall rules to stop the leaks.

But this is currently beyond my skill set, so would need some hand holding to 
learn what to do.

I have looked at the section here on the Qubes site on how to stop leaks using 
scripts, but its kinda confusing, and looks like its for a CLI approach, when i 
would prefer to have my AirVPN GUI for convince.

https://www.qubes-os.org/doc/vpn/#proxyvm



The VPN doc definitely uses scripts to block leaks. However, the editing 
of files is kept to a minimum as its mostly copy and paste.


The two basic things the scripts do are block all direct forwarding 
to/from eth0 (the Qubes uplink interface), and setup DNAT rules that 
allow DNS requests to be tunneled. This is roughly analogous to running:


iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
(during firewall setup)

/usr/lib/qubes/qubes-setup-dnat-to-ns
(triggered by the openvpn 'up' script command which runs after openvpn 
puts new DNS values in /etc/resolv.conf)


To use the VPN doc scripts with the AirVPN GUI wrapper, you could try 
running the GUI program under the 'qvpn' group, granting it access to 
the net. Or you could change the policy of the OUTPUT chain to ACCEPT to 
bypass the group restriction, which doesn't affect leak prevention for 
forwarded traffic.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d5fbf306-eeb0-0ec4-ab29-3ce83ccdce6b%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Encrypted Secondary Drive? (is it? Is it needed?)

2016-11-09 Thread donoban
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 11/09/2016 02:45 PM, donoban wrote:
> You can use any tutorial for standard Linux distributions like
> Debian or Fedora. Or you can use the original LUKS documentation:
> 
> https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestion
s#
>
> 
2-setup
> 

You should do it on a VM with the hard disk attached to it. It should
point to something like /dev/xvdi , check dmesg for be sure.

Skip any /etc/cryptotab or similar configuration. Once your hard disk
is proplery formated it will be auto detected when you attach it to a
VM and it will be ask for the passphrase.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJYIymtAAoJEBQTENjj7QilLQUQAJC5txNimwbK/621KTdTAb4d
jbZDuOf99/Dz+lZWuqnVKAx26oePqiKZ9b7aqNDhZhr8OOxvntzrtwldaKsnM9O5
7fFAb21DXU4ZOQ5Vb3OZO49ZNu0RQPQHTEowXE+SkBJFhMSb3V5v8VxBoAIgeqoe
hPlSyLkaMC2zAjSTkRVa8N2CqP5Y6k/OjiyiucayNNFGLQtrtI8dKK2xkC03eZJd
XcrX+VluBtm4mY/3FJzXMWH0kJYSprFyrW+/t1Gjs6SlxLpLUp+hcqv4lejSeTcb
JLHPjtwSadtuP3TlGbESSNH9pu5OzXSL89GEFqZ76Z1vmPcfmyhWeHMnXWRYoKmd
dNyipuJ2I0wSMiMoYVUFFO5tsIHuOJsGNKeK1CzgFfdMmXQ9bmFIStrcbwMHdhkU
uBsPAPvAtJaVlTKMztbLUbjcgh/IXhST+TBqwUpU7nWh7UGU7/xxDhCJuNc/eGt2
e9H0hxjXOOB1A2h2iuxK80Co0c/7HPR1oR0AAkV4ea5ZD2cC5DGf7CYAg0JNh6vK
7nJnBome77XEUqlh2i7hMVOgjriTbRWK9FsH1ecUprmtrgqVCVSc+Zzx9aGZv8bu
Zlnoeghpo1Srmb9lWKACHyufYFnvn3pBXtPFWxJE3JLmX3MZkNP2LwkrZ36yb1Hb
KsZCJ826trJ9JNNwl4Gz
=6PYK
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/108d1c25-46a5-3d1e-aa3f-0e34be81e63b%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Encrypted Secondary Drive? (is it? Is it needed?)

2016-11-09 Thread Zrubi
On 11/09/2016 02:45 PM, donoban wrote:
>  
> On 11/09/2016 02:33 PM, Gaiko Kyofusho wrote:
>> If its and it should be (ie good practice) is there a doc for 
>> that? I looked over the docs section, and poked around in general 
>> but didn't find much info?
> 
> 
> You can use any tutorial for standard Linux distributions like Debian
> or Fedora. Or you can use the original LUKS documentation:
> 
> https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#
> 2-setup
> 


And/Or you can read the related Qubes docs:
https://www.qubes-os.org/doc/secondary-storage/
https://www.qubes-os.org/doc/encryption-config/

-- 
Zrubi

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c0a1fea-2cb9-d802-dc12-85438519075d%40zrubi.hu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature


[qubes-users] Re: Leak Problems with VPN ProxyVM + AirVPN & Network lock

2016-11-09 Thread SEC Tester
I've considered leaving network lock off, and building my own custom IP Tables, 
or firewall rules to stop the leaks.

But this is currently beyond my skill set, so would need some hand holding to 
learn what to do.

I have looked at the section here on the Qubes site on how to stop leaks using 
scripts, but its kinda confusing, and looks like its for a CLI approach, when i 
would prefer to have my AirVPN GUI for convince.

https://www.qubes-os.org/doc/vpn/#proxyvm

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8d4b36e6-e656-49c7-9bf4-03ee700429d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Encrypted Secondary Drive? (is it? Is it needed?)

2016-11-09 Thread donoban
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 11/09/2016 02:33 PM, Gaiko Kyofusho wrote:
> I installed a secondary drive on my computer a few weeks back then 
> got sidetracked but now I am having space issues so need to move 
> some things over to that drive.
> 
> The thing is I don't remember it being encrypted at any point
> which made me think: 1) Is it encrypted?

If you don't know, probably it isn't.

> 2) Does it need to be encrypted?

It depends on what you are going to move on it and what level of
privacy do you want for it. However, since you can't be sure what you
will put on the future, I will encrypt it always.

> If its not, and it should be (ie good practice) is there a doc for 
> that? I looked over the docs section, and poked around in general 
> but didn't find much info?
> 

You can use any tutorial for standard Linux distributions like Debian
or Fedora. Or you can use the original LUKS documentation:

https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#
2-setup
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJYIyiAAAoJEBQTENjj7QilGzQP/RRYJQTDKRMFSXMG1ViertQa
dGKfkQcYuofSZYT0GC7oecxJekMC+Z1YO1JeFmhwI5J+u5z9/ppnNqW1FcUUbtZ/
jyr2BIFEIL/uL0qGXdXs+0EyXbS5zOMtenmeDJt65VRITKXRaWeZxQwAswog5d3k
4Bz4gceBCj366gA13VXfDbEupPILHu1Cdyhf9aul5tpe+0fVQXEm0Y+9IO71RtVY
dZoBWfzcjgMME8nSQDcjJC5lLEMmDe8Z81vlC6S6Jc5Sdauq4EePob7yExcl/9ix
Wll7Bcg0kS7+cOvzss1Q1Scd1ZsP2u73ENpaYDukoSOi9QR7GBo+8SgF9Gs30mk5
5BovuE7A6D4K42N713ehi49Fb4pkVqKQBN6EQCrknWjsVOeAKyeF5x3z7sEgBKz6
BkEsEEvW8L5adfg/Za0u37hfYARQ3ZhfZzTqntVRhHQihIvGICffAl9wZVJyfdxl
Steq4W82b2qBluLm/sDuY6/Kf4ufyKqjnDnQEzcsupfJH/smEejiVK6Qa9cQWxn2
VjgFJN2tG2GiQqf1YBhy88eJmpnPf0RkUMaWqTRllAkSv6MpSErpLpdLPL18YPOW
RtoACQXTaStywccFKrxH9uQYBdhcpiSD/Qs6/yDzRltuAHjctbbl2G4k2/asU6f7
NF2t2YZFMEKee785+DbR
=5jYn
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/466ada1b-0f60-254e-78c3-6067281c%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] ANN: Leakproof Qubes VPN

2016-11-09 Thread SEC Tester
Hey Rudd-O,

Thanks for your effort and great contribution to the Qubes community. Not sure 
why Chris was critical, especially without specifically showing evidence of any 
problems. Maybe just a troll?

I  haven't tried your program out yet, Im keeping it as my backup option, as im 
still hoping to find a way to get my AirVPN GUI to work. I would prefer a GUI 
over a CLI, especially when i might want to switch servers quickly or look at 
my stats.

As you seem like such an expert on this, i was hoping you could have a look at 
my post, and see if you could workout whats going wrong?

https://groups.google.com/forum/#!topic/qubes-users/T0wbCuIgISg

If you have the time that would be Awesome! Cheers.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b451c810-eba8-4c94-bf0c-237ef7b3678e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Encrypted Secondary Drive? (is it? Is it needed?)

2016-11-09 Thread Gaiko Kyofusho
I installed a secondary drive on my computer a few weeks back then got
sidetracked but now I am having space issues so need to move some things
over to that drive.

The thing is I don't remember it being encrypted at any point which made me
think:
1) Is it encrypted?
2) Does it need to be encrypted?

If its not, and it should be (ie good practice) is there a doc for that? I
looked over the docs section, and poked around in general but didn't find
much info?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAGpWZxODd5gBLAF5CJwXUrP_7F0s%3DKgXGTzviaBq8SXRSgpvng%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Display Calibration

2016-11-09 Thread Zrubi
On 11/04/2016 10:06 AM, Zrubi wrote:

> Just found out that some test during an 'accurate' (long) calibration
> process do want to modify (apply the half baked profile) driver settings
> and checking the results, then make modification and checking it again.
> Doing this till find the best results.
> 
> So calibrating from a Qubes AppVM seems to be a dead end.
> 
> (but I still in a hope for a calibrated display - it is really needed if
> you want to work on photographs - like I do)
> 
> Already tried to lower the security bar and attached the device to dom0,
> and run the calibration there. The software is running fine, however
> applying the resulted (or any other pre definde/test) profile seems not
> working as expected. (no effect seen)
> 
> Work in progress in this part
> 

Connecting the calibration device directly to dom0, and installing the
required software packages (gnome-color-manager) was allow me to
calibrate my display under Qubes :)

However I got different results on different devices:
- Dell E6430:
The color manager see tha LCD panel as a color manageable device,
clibration runs fine, but - for some reason - I have to apply the color
profile manually to take it's effects.

- Lenovo T450
I do not even see the LCD panel in color manager :(
It is working on Fedora 23, 24, and RedHat 7.2 on the same device.
However I'm not sure if I was configuring something or this is a "Qubes
default" issue.

Applying the color profile is half of the job, next part is to provide
the same profile for AppVMs.
Here I'm stuck a bit because I would need to make the DUMMY display
(provided by Qubes) as a color managed device. Then I would be able to
"apply" the same profile. Here the apply only would means that colord
can provide that profile to the colord aware applications. (Firefox,
Eog, Darktable in my case)

@Marek: Any idea how to achieve this?

Without this I still getting better colors overall - but the real color
management is only achievable if the apps are using the same profile.

For now I can configure apps (at least Darktable for sure) to use my
color profile manually.


(BTW: I'm about to create a "color management in Qubes" documentation soon)


-- 
Zrubi


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/50b775ac-8774-a3d7-63f7-0c8435ebb246%40zrubi.hu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature


Re: [qubes-users] Re: HELP: TemplateVM's have lost internet access

2016-11-09 Thread SEC Tester
Thank you for the reply Unman.

You might be right about them never having internet access. Because dnf & yum 
works, i think i assumed the internet work.

The reason i actually found this issues, was because i was ping testing, trying 
to solve a problem i was having setting up a VPN ProxyVM.

(See this thread i just posted)
https://groups.google.com/forum/#!topic/qubes-users/T0wbCuIgISg


When i found the templates couldnt ping the internet, it sent me down this path 
trying to trouble shoot.

I can still dnf yum etc now even while on sys-firewall. So we can consider this 
"issue" solved.

Thank you Unman & Drew.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c56c6ad4-87d4-4bdf-9590-a2ddcb6dd00d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Qubes R3.2 on Thinkpad X250: cannot install Windows 7 (hangs on "Starting Windows" at install)

2016-11-09 Thread Pablo Di Noto
Hello,

Never had much use for a Windows7 HVM so far.

Months ago, I installed W7 on Qubes just for the sake of testing. Got to the 
point of installing qubes-windows-tools and had some success with it, but never 
used it much (in fact, never activated a license on the resulting W7 install).

Now I want to start from scratch, but cannot make a HVM to go further than 
"Starting Windows" screen on the install phase.

Only changes I recognize on my setup are:
- R3.2 final installed (which included several Xen updates, 4.6 to 4.6.3 IIRC)
- Got a "storage pool" enabled, to use the machine SHDD together with the boot 
SSD.

So far, tried all this:
- several W7 ISO versions (including the ones I successfully used before).
- creating the HVM with 2, 3 and 4gb of memory.
- creating the HVM on my "big storage" pool, the local SHDD, using -P option in 
the qvm-create command
- creating the HVM on the original storage pool, the local boot qubes-dom0-root 
volume, using the GUI to create the machine.
- using debug options on all the attempts, but logs show absolutely nothing 
that I can recognize as error.

Any pointers on what to try next, or how to debug?

Thanks in advance!
///Pablo

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a8064898-933d-4dd6-93e3-9cefad78e6d1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes on Lenovo Thinkpad X250 Issues

2016-11-09 Thread Pablo Di Noto

> Bump. Its not Qubes specific. Same applies to latest Xen Hypervisor on Ubuntu 
> 16.04.1.
> 
> Any idea what got introduced into Xen between 3.0 and 3.1?

I am using a X250 since last february (installed R3, updated to R3.1 and full 
reinstall of R3.2).

No problems with booting so far.
Let me know if you want to compare BIOS versions, config, etc.

Regards,
///Pablo

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/34188e48-ecec-4821-a9a5-a7ff1d008999%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: HELP: TemplateVM's have lost internet access

2016-11-09 Thread Unman
On Wed, Nov 09, 2016 at 03:00:13AM -0800, SEC Tester wrote:
> Hey Drew, Cheers for the reply.
> 
> It wasn't possible to 100% follow your instructions;
> 
> In "Global settings" it doesn't seem possible to set the default "netVM" to 
> "none". It only lists choices of netVM or ProxyVMs. I left it set to 
> "sys-firewall".
> 
> I followed the rest of your instructions. Deleted the sys-net VM, created a 
> new one.
> 
> re-assigned the network adapter with qvm-pci -a  
> 
> when setting sys-net as default netVM, the templates can ping the Internet. 
> BUT shouldnt i keep everything proxied through sys-firewall?
> 
> Or is there some reason the templates cant go through the sys-firewall? and 
> must go through sys-net?
> 
> It seems more clear at this point the sys-firewall is responsible for 
> stopping the templates internet. But i dont know why?
> 
> I could set the template netVM to sys-net, but would prefer to solve this if 
> possible?
> 
> Look forward to your reply.
> 

I think that you should look at the docs - in particular this page:
https://www.qubes-os.org/doc/software-update-vm/
and check the sections on "allowing networking for software update" and
"Updates proxy".

By default templates are prohibited from accessing the internet except
via the update proxy. This is a security measure.
If a template is compromised then all qubes based on it will be
compromised. The default setup is a small step toward providing some
protection. It restricts access from a template to the update proxy
service running on the upstream proxyVM, in your case sys-firewall.

Drew's advice addresses another issue - not yours.

I don't believe that the templates would ever have had internet access.

You say that you  need internet access to install software: you can
either temporarily allow access as detailed on the above page - not
advisable because of a bug that doesn't then reset the firewall rules, so
"temporarily" is a complete misnomer - OR access the software source in a
qube and then copy it across to the template.

Perhaps I've misunderstood your problem. If so, apologies.

unman




-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161109113650.GA27762%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: HELP: TemplateVM's have lost internet access

2016-11-09 Thread SEC Tester
Hey Drew, Cheers for the reply.

It wasn't possible to 100% follow your instructions;

In "Global settings" it doesn't seem possible to set the default "netVM" to 
"none". It only lists choices of netVM or ProxyVMs. I left it set to 
"sys-firewall".

I followed the rest of your instructions. Deleted the sys-net VM, created a new 
one.

re-assigned the network adapter with qvm-pci -a  

when setting sys-net as default netVM, the templates can ping the Internet. BUT 
shouldnt i keep everything proxied through sys-firewall?

Or is there some reason the templates cant go through the sys-firewall? and 
must go through sys-net?

It seems more clear at this point the sys-firewall is responsible for stopping 
the templates internet. But i dont know why?

I could set the template netVM to sys-net, but would prefer to solve this if 
possible?

Look forward to your reply.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a91ef7ff-6f92-450b-bf7c-7c7685db8338%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.