Re: [qubes-users] Re: Is it possible to build any BSD template on QubesOS?
Yeah, a more integrated BSD OS would be nice. Something like Windows tools. The only gui I'd be interested in though is macos. In this case, I'm just running the cli and using the webapp for management. Sure it's a HVM and is more isolated and more resource hungry. Yet it's a lot like my stand alone pfSense box. It just works. And over the months I've gone back to my integration guide/script and refined it. Keep in mind that I answered the OP's question for the use case where "any" means a HVM with a CLI and using a webapp for "gui" management. The integration guide/script is optional for people wanting to replicate my implementation of pfSense/OPNsense. BTW, could you expound a little on your concern for xnf(4) (netfront) and xbf(4) (blkfront) drivers? Or point me to a reference? I wish to better understand your concern for threat vectors. On Tuesday, May 17, 2022 at 1:35:52 PM UTC-4 Demi Marie Obenour wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On Sun, May 08, 2022 at 08:01:08PM -0700, J Holsapple wrote: > > I have pfSense (BSD) installed, and working fine for over 6 mos now, as > my > > network IDPS on the external interface. Went OCD and created a complete > > installation guide and integration script. > > It's a bit long and detailed but it works like a charm: > > https://github.com/jcholsap/freemod/issues/1#issue-1016495279 > > I managed to get an OpenBSD template sort of working a while back. I > was able to get networking and storage to work, and X11 worked via > emulated VGA, but I ultimately gave up because of some clashes on the > OpenBSD mailing lists. A proper integration would require substantial > additions to the OpenBSD kernel: > > - - nullfs (BSD version of bind mounts) for /home and /usr/local. The > workaround (a loopback NFS mount) is not something I would be okay > with for production use. > - - Hardened xnf(4) (netfront) and xbf(4) (blkfront) drivers. The current > drivers are not safe in the presence of malicious backends. > - - Userspace access to Xen event channels and grant tables, so that > libvchan and gui-agent can work. > > Additionally, a Xen-aware bootloader would be needed if booting other > than in HVM mode is desired. > - -- > Sincerely, > Demi Marie Obenour (she/her/hers) > Invisible Things Lab > -BEGIN PGP SIGNATURE- > > iQIzBAEBCAAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmKD3PIACgkQsoi1X/+c > IsFFlA/+P76WfNwmIKDoTdoP3J9SQ1e5PQ+fMDF+phjeQmli4AB3MErGMUn0LcOX > kTT+8E0o/+OiUmEjKpPTlxhVWsXqDDwsbqqiipSg9mZBygWzoECXMP6g6Rd3I38F > WQV0Hpm2W0ha7a/oqPdlE5Kklnk76VTAdr6DhIlXvcAc31hEZklUdfUifRNAMmpQ > prKiNdwYBcC+k+PUMwITgzvwP2CgiUc+Hf8wDt7Hj+CjVoi9uVkg0lv4KSRQI9Dj > w3Dxvt6S59P86fPqfce7DwBnGM+hBHem/brkV+mrH+ZTmhSZLxW4DyT28x7/65JM > hgggZxiZ9Z6pfiavZ1CKQaArX+Yc7WzUpigLEZnv6dMZHysbEf44v4uD3T1tz77k > EPv4qtyEXGyKQplmuLWo+eoK8eJxDCHBly2fKef3QEtji+F9HWLs66oVpWyaT6r0 > IP5k8ew+oWTcLhgvu0mSKwztJWFaWzw4vmKD0X2vikGybXlKmICffD14OOPuVpL4 > gCbh/aU615glPMn+u1vhIYjGrbFZLi8/wCQCfI1rp4rX/ElzoVpA7SvCmc5Cy5b2 > oE+ylbLkxe5opfkkJICpCUNRbWDe0Do+54aKdJCQn4pl6qhAGMwI3nYPQ0jbM30y > /0lOYqwqYTlwiZFASIxATZYftUZMzddeNmFoV4fSUN14FCQ8tIU= > =gLNM > -END PGP SIGNATURE- > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4aab4e5d-c2e1-41dd-9d63-e9c3f04ffce4n%40googlegroups.com.
[qubes-users] Re: Is it possible to build any BSD template on QubesOS?
I have pfSense (BSD) installed, and working fine for over 6 mos now, as my network IDPS on the external interface. Went OCD and created a complete installation guide and integration script. It's a bit long and detailed but it works like a charm: https://github.com/jcholsap/freemod/issues/1#issue-1016495279 On Thursday, May 14, 2020 at 12:57:00 PM UTC-4 onelov...@tuta.io wrote: > Hello, Qubes Community. > > In PHV mode like Fedora-31 or Debian-10. > Is the Qubes-builder capable of this? > > I once did it on 3.1 version, but now this is no longer relevant. > https://www.qubes-os.org/doc/netbsd/ > and I could only get there through "xl console" > > > -- > Securely sent with Tutanota. Get your own encrypted, ad-free mailbox: > https://tutanota.com > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2a9f959f-1e1b-4e82-904d-d433799c2b26n%40googlegroups.com.
Re: [qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
Don't know if this helps, but since October 2021 I've been using pfSense without any problems. I created an installation guide and script to automate the integration. https://github.com/jcholsap/freemod/issues/1#issue-1016495279 On Friday, July 30, 2021 at 9:40:06 AM UTC-4 unman wrote: > On Mon, Jul 26, 2021 at 08:09:52AM +, Michael Singer wrote: > > On Thu, Jul 17, 2021 at 12:29PM +0700, unman wrote> On Thu, Jul 15, 2021 > at 06:07:59PM +, Michael Singer wrote: > > >> On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: > > >> > > >>> On Wed, Jul 14, 2021 at 04:35:42PM +, Michael Singer wrote: > > >> > > > > Would you let my Qube, which is supposed to connect to only one IP > address on > > the internet, be based on an extra firewall-vm? Would that more > secure? > > >> > > >>> You could do this: it would have one particular advantage, in that > you > > >>> could set custom rules in sys-net to restrict access from that > > >>> sys-firewall to the specified IP address. > > >> > > >> Do you have an example of the command line commands you use to set > such custom rules in an ordinary debian or fedora sys-net? > > > > > > Qubes uses NAT, so sys-net sees all traffic coming from the IP address > > > of sys-firewall. > > > If you new fw has IP - 10.137.0.200 > > > And target is 195.10.223.181 > > > > > > `nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr > 195.10.223.181 tcp dport https accept` > > > `nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop` > > > > > > Would do it. > > > Adjust for your case, of course > > > > Many thanks, unman! This is well explained. Allow one more question: How > would you do the same if sys-net is based on a OpenBSD template? > > > > Best regards > > Michael Singer > > > > openBSD in Qubes - Excellent! > You would want something like: > pass out on dc0 proto tcp from 10.137.0.200 to 195.10.223.181 port 443 > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8a19c75b-cc29-475e-955a-05135a048203n%40googlegroups.com.
