Re: [qubes-users] Could use some help with my iptables configuration

2019-11-24 Thread Frank Schäckermann 
> On 11/23/19 9:33 AM, swisspal...@firemail.cc wrote:
>> Hello,
>> I want to achieve the following:
>> sys-net should only be accessible by sys-firewall and sys-firewall should 
>> only be accessible by sys-whonix.
>> No AppVM should be able to connect to the internet if I set sys-net or 
>> sys-firewall as NetVM. Internet access should only be possible via 
>> sys-whonix.
>> What I tried so far is:
>> I flushed the INPUT chain on sys-net and applied these 2 commands
>> sudo iptables -I INPUT -i vif5.0 -s 10.137.0.6 -j ACCEPT
>> (10.137.0.6) is the IP of sys-firewall
>> sudo iptables -I INPUT -i vif5.0 -j DROP
>> This configuration already kind of works. If I create a new AppVM and 
>> connect it to sys-net then I can not even ping sys-net anymore.
>> But then I noticed that another vif interface on sys-net came up as soon as 
>> I connected the new AppVM. This is confusing me as I'm afraid that that 
>> could lead to potential leaks in the future.
>> I am unsure how I should proceed with the configuration of this setup. I 
>> don't know much about networking and especially because it is on Qubes it's 
>> a bit more difficult to be sure of how things work.
>> I presume that I probably should make a specific NAT rule but I really have 
>> no clue.
>> What I also don't understand is:
>> - Are the IPs that are assigned to the VMs static or do they change over 
>> time? If they change, can I make them static?
> 
> IIRC they're dynamic.
> 
>> - Will the flushing of a chain in a fresh VM interfere with the 
>> functionality of the VM? I saw QBS-Forwarding rules and so on. I guess it's 
>> not a good idea to delete those.
> 
> QBS-Forwarding will stomp over what you try to add there. Its managed by 
> Qubes. However, it exists in order to allow FORWARD to be user-managed.
> 
> One way to do it might be to allow only one downstream vif in sys-firewall: 
> Add a general eth0 block on top of the FORWARD chain. Then, have a script 
> that waits for the first vif to appear; when it does, add FORWARD rule to 
> allow it, then exit the script.
> 
> -- 
> 
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

The way I understood it is that the number of the interface vifX.Y is dynamic  
but the IP address gets assigned on AppVM creation (and stored in the VMs 
preferences - see qvm-prefs) so you can consider it static for the VMs 
lifetime. Therefor if you do

sudo iptables -I INPUT -i vif* -s 10.137.0.6 -j ACCEPT
sudo iptables -I INPUT -i vif* -j DROP

(not sure if vif* is the right syntax, but there is some way to use wildcards 
for the interface name)

you should be okay. But you also need to put these commands into the qubes 
firewall script in /rw/config to make sure the rules get re-inserted when a new 
AppVM connects to sys-net and Qubes regenerates all the iptables rules to 
include the newly created interface.

Frank

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/A59F6D5E-A6F3-47D3-A5AA-DBCB80660041%40schaeckermann.net.

Re: [qubes-users] Is PXE or iPXE or gPXE booting from a HVM possible?

2019-11-20 Thread Frank Schäckermann 
On Sunday, March 30, 2014 at 12:32:01 AM UTC+1, Rob Townley wrote:
>
> On Sat, Mar 29, 2014 at 10:23 AM, Marek Marczykowski-Górecki <
> marm...@invisiblethingslab.com > wrote:
>
>> On 29.03.2014 00:38, Rob Townley wrote:
>> > HVM with netboot.me.ISO and do CTRL-B to get the gPXE menu and run 
>> config
>> > to set a static network configuration, but still immediately fails.
>> >
>> > iPXE.iso gave much better errors and provides URLs to errors.  Their
>> > websites says the best error information is from *ifstat* after doing
>> > *ifconf* like so:
>> >
>> >  CTRL-B to get into iPXE menu:
>> >
>> > * iPXE> ifconf -c dhcp net0*
>> > * iPXE> ifstat *
>> >
>> >  *[RXE:  8 x "Operation not supported (
>> http://ipxe.org/3c086003
>> > )"]*
>> >
>> > Which means 8 rerror packets/frames were received.
>> > i did not find anybridges in the netvm nor firewallvm so i imagine i 
>> have
>> > to add a bridge from the netvm to the HVM or something so that PXE can 
>> talk
>> > ethernet directly to the PXE/tFTP/NFS servers.  Incidentaly,  iPXE says 
>> to
>> > set set the delay to zero with *brctl setfd br0 0* like
>> > http://ipxe.org/err/4c1060 indicates.  Alternatives?
>>
>> I'm afraid it isn't such simple... DHCP server for HVM is provided by 
>> device
>> model stubdomain and it is very simple, featureless and not configurable.
>> Especially it doesn't have any way to provide TFTP server address and 
>> boot path.
>> But if you can set those parameters manually from iPXE cmdline it should 
>> work.
>> IP address and gateway still can be obtained via DHCP.
>>
>> > Is there a howto anywhere on PXE booting a HVM from within Qubes-OS?
>> > Google does not come up with much when searching for qubes and PXE.
>> > PXE is not mentioned on qubes-os.org at all.
>>
>> --
>> Best Regards,
>> Marek Marczykowski-Górecki
>> Invisible Things Lab
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>>
>>
> iPXE lets me bootup from http://boot.ipxe.org/boot/demo.php  
> (which is an #!ipxe script) over the 
> internet that boots a small version of Linux.  Still having no luck with 
> traditional tftp boot as i cannot get dhcp to work from within the HVM.  
> Have to set IP configuration manually, but it still does not work.  The 
> iPXE website documents how to put network bootable images on a webserver 
> and iPXE boot via http instead of tftp.  Turning off tftp altogether is 
> more secure anyway.  
> 1.) Download http://boot.ipxe.org/ipxe.iso and copy it to an always 
> running vm such as netvm.
> 2.) Create a HVM and add the ipxe.iso as a cdrom / harddrive.  No firmware 
> flashing required.
> 3.) Get ready to press *CTRL-B* to get into the iPXE menu.
> 4.) Get a network address by _one_ of the following three ways:
>
> A. iPXE> * ifconf -c dhcp net0*
>
> B.  iPXE> *config*
>
> C.  iPXE> *ifopen net0*
>   iPXE> *set net0/ip <*ip assigned in Qubes Manager
> *>*
>   iPXE> 
> *set net0/netmask 255.255.255.0*
>   iPXE> *set net0/gateway * Manager> 
>   iPXE>* set dns *
>
> 5.) *chain http://boot.ipxe.org/demo/boot.php 
> *
> 6.) You should see it download a bootable image and log you in as root.  
> Not much can be done because it does not have an ethernet interface, but it 
> does show iPXE booting is possible.  If anyone knows how to get this to see 
> a usable network interface, i would love to know. 
>
> p.s. i am really happy with how iPXE has organized their website for easy 
> documentation.  Error messages are ipxe.org/ERRORNUM.   Commands are 
> under http://ipxe.org/cmd/ ...
>
 
I know this is a very old post, but I have a couple of HVMs that I need to 
boot over the network to test an automated installation process.

Has anybody successfully done the above on Qubes OS 4.0?

I can get the HVM to boot the iPXE.iso and get into iPXEs command line and 
it sees the net0 interface that XEN provides, but I can not get it to see 
any other computer on the network. Going through the configuration using 
possibility C from above I can get ifstat to report the interface being up 
but no DNS lookup or ping goes anywhere and neither does any chain command.

I can't see anything coming into the firewall vm the HVM is connected to.

Is there any way for me to debug what is happening in the stubdomain since 
I suspect that something goes wrong there. Are there any logs I could check?

Thanks for any assistance!

Frank

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit

Re: [qubes-users] Ubuntu templates

2018-10-26 Thread Frank Schäckermann 



> On 26. Oct 2018, at 13:21, unman unman-at-thirdeyesecurity.org 
> |qubes-mailing-list/Example Allow|  wrote:
> 
>> On Thu, Oct 25, 2018 at 02:58:51PM +0100, unman wrote:
>>> On Thu, Oct 25, 2018 at 02:03:02PM +0200, Frank Schäckermann wrote:
>>> Hi unman!
>>> 
>>> I am trying to build the bionic template for Qubes 3.2 and the “make 
>>> qubes-vm” works fine after adding the “Build-Depends: dephelper” to the 
>>> control file of meta-packages.
>>> 
>>> But the “make template” fails with
>>> 
>>> E: Couldn’t find these debs: apt-transport-https
>>> make[1]: *** [Makefile:63: rootimg-build] Error 1
>>> 
>>> Any idea what is going wrong here?
>>> 
>>> Regards, Frank
>>> 
>>>> On 8. Oct 2018, at 16:28, unman unman-at-thirdeyesecurity.org 
>>>> |qubes-mailing-list/Example Allow|  wrote:
>>>> 
>>>> It's now straight forward to build templates for bionic as well as xenial,
>>>> using qubes-builder.
>>>> 
>>>> If you want to try them out before building, I've uploaded freshly built
>>>> templates for 4.0, including a fairly hefty xenial-desktop template.
>>>> You can find details at https://qubes.3isec.org 
>>>> 
>>>> Updated packages are available from the repositories there, if you
>>>> already have a working template.
>>>> 
>>>> unman
>> 
>> Hi Frank
>> 
>> That package is in bionic repositories for sure.
>> I'll run a 3.2 and see if I encounter any problems, and get back to you.
>> 
>> unman
> 
> I see the problem.
> The package isnt in main but in universal.
> Adding universal to the debootstrap options isnt enough because then the
> install fails because the Qubes package repos put all files in main.
> I'll work up a fix and put in a PR.
> I'll post back here too with the details to save you time.
> 
> unman
> 

Great! Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/645271CB-7085-457B-9833-02670937AFCC%40schaeckermann.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Ubuntu templates

2018-10-25 Thread Frank Schäckermann 
Hi unman!

I am trying to build the bionic template for Qubes 3.2 and the “make qubes-vm” 
works fine after adding the “Build-Depends: dephelper” to the control file of 
meta-packages.

But the “make template” fails with

E: Couldn’t find these debs: apt-transport-https
make[1]: *** [Makefile:63: rootimg-build] Error 1

Any idea what is going wrong here?

Regards, Frank

> On 8. Oct 2018, at 16:28, unman unman-at-thirdeyesecurity.org 
> |qubes-mailing-list/Example Allow|  wrote:
> 
> It's now straight forward to build templates for bionic as well as xenial,
> using qubes-builder.
> 
> If you want to try them out before building, I've uploaded freshly built
> templates for 4.0, including a fairly hefty xenial-desktop template.
> You can find details at https://qubes.3isec.org 
> 
> Updated packages are available from the repositories there, if you
> already have a working template.
> 
> unman
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/20181008142823.si4a2aw7i5fhifch%40thirdeyesecurity.org.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/A135AB66-5025-43C9-9F08-54F82D7DE689%40schaeckermann.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: (Qubes OS 4.0) Anyone that built a Ubuntu Xenial template successfully?

2018-05-01 Thread Frank Schäckermann 
On Wednesday, April 18, 2018 at 10:00:19 PM UTC+2, Christoffer Lilja wrote:
> I've tried to build a Ubuntu Xenial template on Qubes OS 4.0 but I get this 
> error:
> dpkg-source: info: using options from core-agent-linux/debian/source/options: 
> --extend-diff-ignore=(^|/)(.git/.*)$ --extend-diff-ignore=(^|/)(deb/.*)$ 
> --extend-diff-ignore=(^|/)(pkgs/.*)$ --extend-diff-ignore=(^|/)(rpm/.*)$
> dpkg-source: info: using source format '3.0 (quilt)'
> dpkg-source: info: building qubes-core-agent using existing 
> ./qubes-core-agent_4.0.24.orig.tar.gz
> dpkg-source: warning: executable mode 0775 of 'qubes-rpc/qvm-open-in-dvm' 
> will not be represented in diff
> dpkg-source: info: local changes detected, the modified files are:
>  core-agent-linux/qubes-rpc/qvm-open-in-dvm
> dpkg-source: error: aborting due to unexpected upstream changes, see 
> /tmp/qubes-core-agent_4.0.24-1+xenialu1.diff.raLTJa
> dpkg-source: info: you can integrate the local changes with dpkg-source 
> --commit
> dpkg-buildpackage: error: dpkg-source -b core-agent-linux gave error exit 
> status 2
> make[2]: *** 
> [/home/user/qubes-builder/qubes-src/builder-debian/Makefile.qubuntu:215: 
> dist-package] Error 2
> make[1]: *** [Makefile.generic:166: packages] Error 1
> make: *** [Makefile:212: core-agent-linux-vm] Error 1
> 
> Does someone know how to solve this?


The same error happens for Qubes OS 3.2! Thus I can't build the latest qubes 
deb files for my xenial template that is now running with more and more old 
versions of core-agent  etc.   :-(

I wish I knew how to fix it... I tried the sugested "dpkg-source --commit" in 
various places but to no avail and I don't understand the build process good 
enough to figure out, what EXACTLY is going wrong here.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f5387726-08d8-499d-ad4d-e066a2713bf9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Remnder: Ubuntu-template anyone?

2016-07-11 Thread Frank Schäckermann 
On Tuesday, June 21, 2016 at 1:30:46 AM UTC+2, Unman wrote:
> On Sat, Jun 18, 2016 at 12:39:00AM +0200, Marek Marczykowski-Górecki wrote:
> > On Fri, Jun 17, 2016 at 11:23:42PM +0100, Unman wrote:
> > > On Fri, Jun 17, 2016 at 09:33:47PM +0200, Marek Marczykowski-Górecki 
> > > wrote:
> > > > On Fri, Jun 17, 2016 at 09:29:19PM +0200, Achim Patzner wrote:
> > > > > Am 10.06.2016 um 23:30 schrieb Unman:
> > > > > 
> > > > > >> Has anybody had success getting a Ubuntu template compiled? Even 
> > > > > >> at 16.04?
> > > > > > If you mean "at all", then some months back I built a 14.04. Haven't
> > > > > > tried anything more recent.
> > > > > 
> > > > > Right now I'm not able to even compile it even after getting a fresh
> > > > > building environment... I guess I'll have to get some more exercise,
> > > > > then, unless someone is generating a working setup.
> > > > 
> > > > I think currently builder-debian support at most vivid. But it shouldn't
> > > > be hard to add anything newer.
> > > 
> > > It isn't.
> > > Last night I built Xenial - I'll put in a PR today, 

Has this happened? I'd like to build a 16.04 template, but the Qubes Builder in 
the offical QubesOS repository does not offer Xenial - neither does the one in 
Mareks repository...

Regards, Frank

> > 
> > How have you solved problem with /etc/xdg/Trolltech.conf conflict?
> 
> Put the Qubes one in ~/.config and in skel.
> I think that should work ok generally, except for switching VM to xenial
> template. Then it's just ordinary Trolltech.conf troubles.
> 
> > 
> > > although there's
> > > some stuff that needs tidying up - why don't the versions share the same
> > > keyring? 
> > 
> > If Canonical decide to to change the key, to be able to support that.
> > But if the keyring is the same for now, it can be symlinked.
> > 
> > > Why identical package lists? 
> > 
> > Actually, for Xenial you'll probably need slightly different package
> > list, as there is no linux-firmware-nonfree package anymore.
> 
> Yes, but most of the others are just copies
> 
> > But if it turns out to be the same, it can be symlinked. The same
> > applies to appmenus.
> > 
> > > Looks like a fair bit of
> > > duplication for reasons that escape me.
> > > 
> > > Also, is there a need to retain the old versions? My preference would be
> > > to just have LTS. Thoughts on this?
> > 
> > Yes, good idea. Or maybe two of them - latest LTS and latest release in
> > general.
> 
> I'll clean this up if that's ok.
> > 
> > -- 
> > Best Regards,
> > Marek Marczykowski-Górecki
> > Invisible Things Lab
> > A: Because it messes up the order in which people normally read text.
> > Q: Why is top-posting such a bad thing?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/492d63bf-81fa-429e-b7ef-2b2e865a3598%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to switch VM network on and off?

2016-07-08 Thread Frank Schäckermann 


> On 08.07.2016, at 22:40, 193084'1093284'0193284'0943218 
> kersten.vogel-at-gmail.com |qubes-mailing-list/Example Allow| 
>  wrote:
> 
> Hello,
> 
> many apps "call home"...
> and mostly I need some internet-services direct outside one app only 
> occasionally.
> 
> On a standard PC I solve this quite simple: HW-Firewall Hotspot requires a 
> logon.
> 
> So as long I don't logon to my firewall, no app can access the internet.
> 
> Now under Qubes, I work much more in the multi-tasking mode.
> 
> Some VMs are online and others should be offline in the same time.
> 
> But how I can switch on and off the network of only one VM specifically 
> (without destroying the advanced network topology inside qubes)?
> 
> As an workaround I can:
> 
> i) disable the network in the QM (but later I must remember the old settings 
> - to the usability security will not to bee too high, with this process).
> 
> ii) I can switch on and off the hole connection to the internet (via the 
> KDE-Menue).
> But again before I switch it on again, I must collect all open windows and 
> screen the VMs, which might still run in the background and so the usability 
> securtiy might be poor.
> 
> Is there are a simple way?

How about using the firewall settings that each and every AppVM has it's own 
set of (if it is connected to a proxyVM other than Whonix GW).

Right-click AppVM in Qubes Manager -> Edit Firewall Settings -> select "Deny 
everything except" and leave the exception list empty, click OK.

Effective immediately and no reboot required.

Regards, Frank

> 
> Kind Regards
> 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/85274287-98c1-43c3-bfc1-14d57828cc69%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/E63EBAA3-1D6C-4FD5-8821-4690C396B89D%40schaeckermann.net.
For more options, visit https://groups.google.com/d/optout.