Re: [qubes-users] Re: Amnesic QubesOS

2017-02-14 Thread Jean-Philippe Ouellet
On Tue, Feb 14, 2017 at 9:45 PM,   wrote:
> There is the option to use a disposable vm for everything if you want?

Note that the current implementation of DispVMs does not resist local forensics:
- https://www.qubes-os.org/doc/dispvm/#disposable-vms-and-local-forensics
- https://github.com/QubesOS/qubes-issues/issues/904
- https://groups.google.com/forum/#!topic/qubes-devel/QwL5PjqPs-4/discussion

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_BDZkVfjASbhqQiZy-TDEdc9FZBMek0vDrPZ5JLMXHJpQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to safely use Wireshark in Qubes?

2017-02-14 Thread Chris Laprise

On 02/14/2017 09:41 PM, raahe...@gmail.com wrote:


isn't tcpdump just as vulnerable though if not more?

I run things like that in sys-net since i consider it extremely untrusted, but 
if you have the resources or want only specific streams,  sure a separate 
template or seperate vm i would assume is more secure.


Since sys-net is untrusted, try using a proxyVM which should be much 
safer. At least it'll work for IP traffic.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/393b1269-3777-5608-cc39-983124c94ec6%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Qubes not detecting Spidf audio out

2017-02-14 Thread Nautilus Maximus
Hi all,
I have qubes up and running, no real issues... well... except one. Qubes has 
detected my normal hardware audio out and my HDMI Audio out but it has not 
detected my Spidf out. This is a real deal breaker for me as I use an SMSL 
headphone amp with only one input "Spidf". My MB is a Ausrock 990 fx killer. 
All other linux distro's including fedora, ubuntu, Arch, Gentoo and puppy Linux 
can detect it. Is there any way to get this up and running Any tips and or 
advice would be appreciated.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c6f3bd68-2e7d-42ee-8401-f32a3ca58f3e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] AEM questions

2017-02-14 Thread Chris Laprise

On 02/14/2017 05:50 PM, j...@vfemail.net wrote:


hi.
since i will be traveling for a bit, my threadmodell changed and i 
want aem.

when reading the documentation, a few questions came up:
(in any case, i will  use a passphrase for aem.)

1) is there a difference between using an usb drive or using an 
internal partition? (except of having a second device in case of an 
usb drive)




Yes. You should keep your AEM boot with you on a separate device. If you 
don't, an attacker could see your secret phrase by booting the system.


This is also important if you want AEM to warn you after a /remote/ 
(non-Evil Maid) attack has affected your BIOS.



2) citing from the aem readme:
'If you've chosen the latter option [using an external boot device], 
you should then remove the internal

boot partition from dom0's /etc/fstab, never mount it again in dom0, and
never boot from it again, because an attacker might modify it to exploit
GRUB or dom0 filesystem drivers.'
what would happen if i lost my external boot device?
could i still boot without it?



You wouldn't be able to boot immediately. But you could later use a 
Qubes install disk to re-create a boot partition, or restore a partimage 
backup of the boot drive, or use a (trusted) live CD to unlock your 
Qubes drive and backup the VMs before installing Qubes anew.


3) is unhiding my usb devices only required during aem setup? (i guess 
so, but i thought, i would ask)




I think you refer to the option that suppresses USB devices during boot. 
This should be turned off when booting AEM (not just installing) from a 
USB stick so the verification sequence can read the secret from the USB 
stick.


However, you can configure a sys-usb VM to run automatically on startup, 
and this will isolate USB devices from the rest of the system. So... 
when booting AEM don't leave odd or untrusted devices plugged into your 
USB ports, because the system may be vulnerable during boot (but after 
boot you should be protected if sys-usb is running and configured properly).


4) The article from 2011 
(http://theinvisiblethings.blogspot.hu/2011/09/anti-evil-maid.html) 
mentions keyfiles.

Is this implemented? (the readme says nothing about it)



I don't recall seeing this implemented. There may be some workaround 
such as specifying the passphrase in the config... see "man crypttab" 
for details; in that case, the USB stick literally becomes a key to your 
main drive.


Chris



-joe



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ad2bbe1d-6d5b-f74b-6e7b-5fb2c9a09dce%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Installation Media Self-Check Confusion

2017-02-14 Thread raahelps
On Monday, February 13, 2017 at 2:26:42 PM UTC-5, bf18...@gmail.com wrote:
> On Monday, February 13, 2017 at 1:07:44 PM UTC-6, raah...@gmail.com wrote:
> > On Sunday, February 12, 2017 at 7:33:43 PM UTC-5, bf18...@gmail.com wrote:
> > > Hello,
> > > 
> > > I have been trying to install R3.2 and even though I have tried burning 
> > > both usbs and dvds and using different burning programs (including just 
> > > dd for the usb) it always results in it saying that the .iso is 
> > > unsupported and the install media is fragmented (20 count with a md5 
> > > sum(I can include that if it helps)). The weird part though is that it 
> > > says it before the media check starts and if I let it finish the check it 
> > > say's that it passed and will continue to the graphical interface. I also 
> > > verified it before burning and the files were (reasonably) trust-able. 
> > > Does anyone have any advice on if it can be trusted in general or have 
> > > had this happen before?
> > > 
> > > Thanks in-advance for even glancing
> > 
> > what happens when it goes to the graphicsal interface?
> > 
> > have you tried it on diff ports, diff pc?
> > 
> > what mobo? how exactly are you verifying it?
> 
> When it goes to the interface everything seems exactly the same as it used to 
> for anaconda (I have used qubes before in some of its earlier forms and 
> release candidates). It even runs a standard install but I'm not sure why it 
> would continue when it usually refuses if anything faults.
> 
> I've tried two pc's, one using windows and one using deb. 
> 
> I've verified with gpg4win and reg gpg with sha251 checks. Mobo is intel 
> celeron.

so on the other two pc's u get the same self check error message?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9b3cc7f4-8b07-45b7-9306-c3ac81ac4f34%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Amnesic QubesOS

2017-02-14 Thread raahelps
On Tuesday, February 14, 2017 at 11:56:21 AM UTC-5, pri aif wrote:
> Would this work?
> 
> Install Qubes onto USB Drive then boot up setup all VMs update everything and 
> power off then plug writeblocker between USB-Drive and USB-Port boot up and 
> once done turn off and no writing changes to the USB-Drive have been done?
> Only ever boot without the write-blocker to install updates preferably from a 
> different network only ever used for updates.
> Could this be a workaround to the last thing Tails is superior in (amnesia)?

probably not, don't think its a goal of Qubes-os, this is for normal desktop 
users.  There is the option to use a disposable vm for everything if you want?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4df20460-bd06-480a-afd0-8826857d7012%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to safely use Wireshark in Qubes?

2017-02-14 Thread raahelps


isn't tcpdump just as vulnerable though if not more?

I run things like that in sys-net since i consider it extremely untrusted, but 
if you have the resources or want only specific streams,  sure a separate 
template or seperate vm i would assume is more secure.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/933bdaa4-c7c1-40e3-9285-9bc14d5701f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] AEM questions

2017-02-14 Thread jd87

hi.
since i will be traveling for a bit, my threadmodell changed and i want
aem.
when reading the documentation, a few questions came up:
(in any case, i will  use a passphrase for aem.)

1) is there a difference between using an usb drive or using an internal
partition? (except of having a second device in case of an usb drive)
2) citing from the aem readme:
'If you've chosen the latter option [using an external boot device], you
should then remove the internal
boot partition from dom0's /etc/fstab, never mount it again in dom0, and
never boot from it again, because an attacker might modify it to exploit
GRUB or dom0 filesystem drivers.'
what would happen if i lost my external boot device?
could i still boot without it?
3) is unhiding my usb devices only required during aem setup? (i guess so,
but i thought, i would ask)
4) The article from 2011
(http://theinvisiblethings.blogspot.hu/2011/09/anti-evil-maid.html)
mentions keyfiles.
Is this implemented? (the readme says nothing about it)

-joe


-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170214165013.Horde.eG6CBeDh3PG1rsUKL2n6-Q7%40www.vfemail.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: How install visual studio code on the template Fedora ?

2017-02-14 Thread Unman
On Tue, Feb 14, 2017 at 01:19:17PM -0800, codeur4l...@gmail.com wrote:
> Yes, this is what I try to do. 
> I have download the .rpm file from my personal VM, then I have copy this file 
> into the fedora template. The problem is I don't know where is this file now 
> because in the fedora template I don't have a file manager. 
> I tried execute 'sudo dnf install .rpm' with the appropriate name in 
> the fedora template terminal but it don't find the file.
> 

When you copy or move a file to a qube it is placed in ~/QubesIncoming
under the name of the source.
cd to that directory and you will be able to install the file you have
copied across.

This is in the docs at www.qubes-os.org/doc/copying-files/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2017021416.GA648%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Make xfce4-netload-plugin display next to netvm icon?

2017-02-14 Thread HawKing
The network monitor plugin displays nicely colorized current network
traffic rate on the XFCE panel. I would like to get this displaying
the netVM's traffic rate, next to the red netvm in Dom0's panel.
However, typically it doesn't run in the "notification area", and I'm
not sure how to get it displayed in Dom0 (as the netvm icon is). 

Can anyone point me in the right direction ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/37CFE930-E72A-44A8-86BC-36A437CF6727%40mail.bitmessage.ch.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: How install visual studio code on the template Fedora ?

2017-02-14 Thread codeur4life
Yes, this is what I try to do. 
I have download the .rpm file from my personal VM, then I have copy this file 
into the fedora template. The problem is I don't know where is this file now 
because in the fedora template I don't have a file manager. 
I tried execute 'sudo dnf install .rpm' with the appropriate name in the 
fedora template terminal but it don't find the file.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0ec2a20c-71bd-4dba-81bb-e6f683d21186%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: How install visual studio code on the template Fedora ?

2017-02-14 Thread codeur4life
Le mardi 14 février 2017 21:45:31 UTC+1, Unman a écrit :
> On Tue, Feb 14, 2017 at 12:03:01PM -0800, codeur4l...@gmail.com wrote:
> > I really need to know how install software.
> > It is obscure to me and qubes documentation don't gave me the solution.
> > Nobody have idee ?
> > 
> 
> What is it that you do not understand? The page you reference provides
> absolutely explicit instructions.
> Is there anything unclear on this page?
> www.qubes-os.org/doc/software-update-vm/
> 
> You should install software in to a templateVM, and then it will be
> available in all qubes based on that template.
> 
> So choose your template - Debian or Fedora.
> Download the code for the Template you chose , as instructed on that page.
> Then copy the downloaded file to your template.
> Run the appropriate command(s) in the template.
> 
> Shut down the template.
> Start a qube based on the template and check that "code" works.

Yes, this is what I try to do.
I have download the .rpm file from my personal VM, then I have copy this file 
into the fedora template. The problem is I don't know where is this file now 
because in the fedora template I don't have a file manager.
I tried execute 'sudo dnf install .rpm' with the appropriate name in the 
fedora template terminal but it don't find the file.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/65788bc1-b0a9-4662-a285-a910234400cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: How install visual studio code on the template Fedora ?

2017-02-14 Thread Unman
On Tue, Feb 14, 2017 at 12:03:01PM -0800, codeur4l...@gmail.com wrote:
> I really need to know how install software.
> It is obscure to me and qubes documentation don't gave me the solution.
> Nobody have idee ?
> 

What is it that you do not understand? The page you reference provides
absolutely explicit instructions.
Is there anything unclear on this page?
www.qubes-os.org/doc/software-update-vm/

You should install software in to a templateVM, and then it will be
available in all qubes based on that template.

So choose your template - Debian or Fedora.
Download the code for the Template you chose , as instructed on that page.
Then copy the downloaded file to your template.
Run the appropriate command(s) in the template.

Shut down the template.
Start a qube based on the template and check that "code" works.




-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170214204527.GA32465%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] How to safely use Wireshark in Qubes?

2017-02-14 Thread turboacan
Sys-net app or make standalone fedora minimal template?

Subj.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/49f7040c-799c-43fb-9f00-f3f211f4dcb5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] HCL - Lenovo T460s [20FAS0AE00]

2017-02-14 Thread Others call me jean
Works very well!

For NVMe installation you need the workaround from:
https://github.com/QubesOS/qubes-issues/issues/2381

With the unstable kernel (current 4.8.12) it works more stable.

The DisplayPort has some problem and the system crash regularly on plug
in. HDMI works.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/o7vds8%24brs%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-LENOVO-20FAS0AE00-20170214-180106.yml
Description: application/yaml


[qubes-users] Amnesic QubesOS

2017-02-14 Thread pri aif
Would this work?

Install Qubes onto USB Drive then boot up setup all VMs update everything and 
power off then plug writeblocker between USB-Drive and USB-Port boot up and 
once done turn off and no writing changes to the USB-Drive have been done?
Only ever boot without the write-blocker to install updates preferably from a 
different network only ever used for updates.
Could this be a workaround to the last thing Tails is superior in (amnesia)?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/38787039.45587.1487091376314.JavaMail.root%40ichabod.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] trying to remove old template but getting error

2017-02-14 Thread Gaiko
On Tuesday, February 14, 2017 at 7:11:19 AM UTC-5, Unman wrote:
> On Mon, Feb 13, 2017 at 05:26:07PM -0800, Gaiko wrote:
> > On Monday, February 13, 2017 at 8:06:43 PM UTC-5, Unman wrote:
> > > On Mon, Feb 13, 2017 at 04:53:24PM -0800, Gaiko wrote:
> > > > I installed the fedora24 template using
> > > > 
> > > > sudo qubes-dom0-update qubes-template-fedora-24
> > > > 
> > > > Then changed all put then went to global settings, changed the default 
> > > > template, then went into the vm manager and changed the default 
> > > > template for each of the VMs (its a fresh install so there was jsut 
> > > > vault, personal, untrusted, and work) but not the sys-net, 
> > > > sys-firewall, as it had it in my head that was a done deal via global 
> > > > settings.
> > > > 
> > > > Anyway, then ran
> > > > 
> > > > qvm-create-default-dvm --default-template
> > > > 
> > > > then
> > > > 
> > > > sudo dnf remove qubes-template-fedora-23
> > > > 
> > > > but with the last command I got an error:
> > > > no match for argument: qubes-template-fedora-23
> > > > Error:no packages marked for removal.
> > > > 
> > > > I then looked for other posts and found this 
> > > > (https://groups.google.com/forum/#!searchin/qubes-users/no$20match$20for$20argument$3A$20qubes-template-fedora-23$20Error$3Ano$20packages$20marked$20for$20removal.%7Csort:relevance/qubes-users/v7Svq_KS5us/Xej8hMQICAAJ)
> > > >  but there he had mod'd the qubes.xml file and in that file on my comp 
> > > > I noticed there was not an entry for fedora-24 so I was hesitant to go 
> > > > any further.
> > > > 
> > > > So, fedora-23 template files are still in  
> > > > /var/lib/vm-templates/fedora-23
> > > > and fedora-23 is still showing up in the VM Manager (indicating it 
> > > > needs updates no less). Fedora 24 is also showing up in the VM Manager, 
> > > > and everything *seems* ok with it except it wasn't in the qubes.xml 
> > > > file which i wasn't sure about... 
> > > > 
> > > > Thoughts?
> > > > 
> > > 
> > > Try 'sudo dnf list installed |grep template'
> > > to check the status with dnf.
> > > 
> > > Also try qvm-remove qubes-template-fedora-23
> > 
> > Thx for the reply.
> > 
> > Tried both, it seems Fedora23 isn't showing up as being installed. When I 
> > grep'd the dnf list command the other (including fed24) templates showed up 
> > but not f23. When I tried 
> > 
> > qvm-remove qubes-template-fedora-23
> > 
> > it told me
> > 
> > A VM with the name qubes-template-fedora-23 does not exist in the system
> > 
> > I thought to take a look in the /var/lib/qubes/vm-templates/fedora23 dir 
> > and noticed (du -sh) that there is only 22M of stuff there... so I guess 
> > the main files (sorry I don't know the exact files but I figure it would be 
> > bigger if f23 was still there) aren't there... but the VM manager thinks 
> > F23 is, and the qubes.xml is still something I am not sure about.
> > 
> > further thoughts?
> > 
> 
> Look at www.qubes-os.org/doc/remove-vm-manually

that got it thanx! (i guess the qubes.xml is a non issue?)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/26be9e37-219f-419f-9eb1-74fa51e85bd7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Ad-blocking ProxyVM?

2017-02-14 Thread Joe Ruether
On Monday, February 13, 2017 at 9:35:52 PM UTC-5, Joe Ruether wrote:
> Ok, I need to simplify this. I need help, I don't know what I am missing. Is 
> anyone able to recreate the following netcat test?
> 
> I cannot seem to get the DNAT portion of the iptables to work at all. Here is 
> a very simple test:
> 
> On the proxyvm, I use the following rules to redirect port 5353 to localhost, 
> and allow the connection:
> 
> iptables -t nat -I PR-QBS 1 -d 10.137.4.1 -p tcp --dport 5353 -j DNAT 
> --to-destination 127.0.0.1
> iptables -I INPUT 1 -p tcp --dport 5353 -j ACCEPT
> 
> Then, on the proxyvm, I run the following command to listen on that port (no 
> other service is running on that port):
> 
> nc -l -p 5353
> 
> Finally, on the AppVM, I run the following command:
> 
> nc 10.137.4.1 5353
> 
> My expectation is that the two netcats will connect, however they don't. What 
> do I need to do to get my AppVM to talk to my ProxyVM? Thanks

Well, I feel like a fool, I finally figured it out. I realized the DNAT rules 
aren't necessary at all, so all I needed was this:

iptables -I INPUT 1 -p tcp --dport 5353 -j ACCEPT

Of course I overcomplicated such a simple problem... I learned a bunch about 
iptables though.

I also have the PiHole adblocker working now. In case anyone stumbles onto this 
thread trying to do the same thing, the final trick was to add the Qubes vif 
interfaces to a dnsmasq config file to it would listen on them.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fb192195-af69-4793-b4a2-1f787af2ddbc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] configuration files for distribution via salt

2017-02-14 Thread john.david.r.smith

hi.
when configuring minions with salt, you sometimes need some config files (e.g. 
wifi config stored in /rw/config/NM-system-connections/, ssh credentials, etc).
you have to get this data from somewhere and distribute it via salt.
there are multiple possibilities:

1)
creating some config-vm (it is highly trusted).
this vm stores the files.
now you can do either of these.
1.1)
  salt now uses some custom command (it is not that hard to write) to copy the 
files from config-vm to the target-vm.
  this happens during dom0 config.
1.2)
  you add some service that allows the target-vm to receive the files from your 
config-vm.
  once target-vm is started and it noticed it needs config files, it can 
request them (you can restrict the access via a policy so target-vm can only 
access the files it is supposed to)

2)
store the data in dom0
2.1)
  store the data as files and distribute them via file.managed / file.recurse
2.2)
  store the data as pillar and distribute them via salt

pros/cons
1)
- you have an extra vm.
+ all data flow / attack surfaces are clear
1.1)
  - you need the command (not that bad)
  - it happens during dom0 config and not when the vm is configured (not that 
bad, but i don't like it)
1.2)
  - you need to add the service (not that bad)
  - you now also need to manage the service policy files (now you have the 
configuration for target-vm in config-vm, the sls files and policy files)
  - how does target-vm know when the config files are changed?

2)
- you copy data INTO DOM0!
+ no extra vm
2.1)
  + you configure the vm during its own salt configuration phase
  + requires no additional stuff (only salt and a folder containing the files)
  - THE DATA IS COPIED TO EVERY MANAGEMENT VM! (maybe you can somehow prevent 
this, but i don't think this is currently possible.)
2.2)
  - pillars are not really able to handle files / directory trees (you could 
paste the file content of some file into a pillar variable and write it to a 
file using salt (works not well for non text files))
  + pillars are supposed to be the place where you store (sensitive) minion 
specific configuration
  + the data is only available in the specific minion
  ? i don't know whether all pillar data is copied to the management vm (but i 
guess so)

in both cases (1 and 2) you may end up copying some data from a less trusted vm 
to a more trusted domain, since you need to populate the initial config data 
(maybe your config data includes some certificate used by your vpn provider).
this is something you are not supposed to do, but if you never use 
(execute/view/change...) the data in the higher trusted domain, everything 
should be fine (please correct me if i am wrong).
in this case it should not be to bad to store the data in dom0.

my preferred option would be 2.1 if we could fix the problem of all data being 
copied to each management vm.
how big the problem is, depends on the attack surface exposed by the management 
vm to the target-vm (does anyone know this?).
also this could be fixed by not copying all data to the management vm (is this 
even done?). this would probably require some modification of the qubesctl tool.


so my questions would be:
a) do you have other ideas on how to distribute config files?
b) how do you solve this problem?
c) what do you think is the best method to distribute the files?
d) are there any other problems/advantages of some approach i did not mention?
e) what is the attack surface exposed by the management vm to the target-vm?
f) does qubesctl always copy all files/pillars to the management-vm and what 
would we need to do to change this? (also how would we decide what files are 
copied to the management-vm (since we don't want to render the files using 
minion data in dom0)
g) is there some security risk of copying files from a less trusted vm to a 
more trusted domain if the files are never used (are only copied/stored)?

- John

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b8f11bd1-76f3-02a2-3c2e-fd3db53ba785%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] HCL - 20H2S00700

2017-02-14 Thread Vincent Wiemann
This device is an i7 Lenovo E470.
Intel graphics card needs newer kernel (from unstable repo)...
GeForce graphics not supported by noveau, yet. Official NVIDIA driver
fails with memory allocation error under Xen; see also
https://devtalk.nvidia.com/default/topic/691565/linux/geforce-driver-problem-on-centos-6-4-with-xen-installed
(even with IGNORE_XEN_PRESENCE-flag set etc.)
Installation only possible with VNC as text installation mode doesn't
prompt for encryption password.
Sleep mode sometimes freezes the device.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9fab2a84-5b7c-3635-ac0c-6cd04924c1a3%40ironai.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-LENOVO-20H2S00700-20170214-113042.yml
Description: application/yaml


Re: [qubes-users] NetVM without firewall, no PING from outside?

2017-02-14 Thread Jarle Thorsen
> Unman:
> > I suggest you read the docs:
> > www.qubes-os.org/doc/firewall  has a section on allowing traffic in to
> > qubes.
> 
> Thank you for the link. It provided a good foundation.
> 
> > But this may not be what you want. It reads as if you want to have
> > sys-net operating as a router. You can do this quite simply by changing
> > the iptables configuration and using proxy arp to make sure that the
> > external network sees the qubes behind the router.
> > Alternatively you could use the netvm as a gateway to the network of
> > qubes, and make sure that THAT route is propagated on your internal
> > network.
> 
> Thank you, it seems like using proxy arp is the way to go for me. That way I 
> can still use a dynamic address for my NetVM.

I'm getting back to this thread, still haven't got everything working:

My NetVM is connected to a local network 10.0.0.0/16, and gets a dynamic IP via 
DHCP.

AppVMs connect directly to the NetVM, without any firewall, and all firewall 
rules has been removed from NetVM.

All networking is now working fine, both between AppVMs and from AppVMs and 
into the 10.0.0.0/16 network.

Now I need to have the AppVMs available from the 10.0.0.0/16 network...

Where do I need to enable arp_proxy to make this happen? Only on the NetVM 
interface connected to the 10.0.0.0/16 network, or also on the vif interfaces 
on the NetVM, or in the AppVMs also??

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/382450c2-11c6-40dc-9bea-03840335c104%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.