Re: [qubes-users] Has anyone tried pptp in qubes 4.0?
Unman, i think we need some external iptables rules to route traffic between sys-net and proxy-vm in qubes. In proxy VM i use - iptables -I INPUT -p 47 -s X.X.X.X -j ACCEPT iptables -t filter -L -n -v --line-numbers CNAIN INPUT (policy DROP 0 packets, 0 bytes) 1 0 0 47 * * X.X.X.X 0.0.0.0/0 tcpdump -i eth0/wls6 port 1723 -vvv - on sys-net and proxy-vm shows me traffic between server and host. So, maybe try to allow all traffic between sys-net and proxy-vm for experiments? Or maybe there is something Qubes specific routing? I dont know. what else can block the connection? Jun 7, 2020, 18:13 by un...@thirdeyesecurity.org: > On Sat, Jun 06, 2020 at 08:02:20PM +0200, onelovecisco via qubes-users wrote: > >> And i forgot to tell you that pptp doesnt work from sys-net directly else. >> Do you know why? >> Journalctl gives me a little info such like "Modem hangs up".So i cant?? >> troubleshooting connection. >> >From another host it works good. Firewall doesnt block 1723 (telnet and >> >ping to server works) >> Nat_conntrack enabled in fedora template kernel. >> >> >> Jun 6, 2020, 17:51 by un...@thirdeyesecurity.org: >> >> > On Thu, Jun 04, 2020 at 08:25:50PM +0200, 0rb via qubes-users wrote: >> > >> >> Telnet 1723 port works and i can ping server?? from >> >> sys-net/sys-firewall/proxy-vm >> >> But connection can't be established from proxy-vm. Modem hangs if watch >> >> journalctl | grep ppptp >> >> >> >> [user@sys-net ~]$ lsmod | grep pptp >> >> nf_nat_pptp?? 16384?? 0 >> >> nf_nat_proto_gre 16384?? 1 nf_nat_pptp >> >> nf_conntrack_pptp?? 16384?? 1 nf_nat_pptp >> >> nf_conntrack_proto_gre?? 16384?? 1 nf_conntrack_pptp >> >> nf_nat 36864?? 5 >> >> nf_nat_ipv4,xt_nat,nf_nat_pptp,nf_nat_proto_gre,xt_REDIRECT >> >> nf_conntrack?? 163840?? 11 >> >> xt_conntrack,nf_nat,nft_ct,xt_state,nf_conntrack_pptp,ipt_MASQUERADE,nf_nat_ipv4,xt_nat,nf_nat_pptp,nf_conntrack_proto_gre,xt_REDIRECT >> >> >> >> Can anyone help how to use ppptp in QubesOS ? >> >> >> >> In 2016 Unman says >> >> >> >> First you need to allow INBOUND protocol 47: >> >> On sys-net: >> >> modprobe ip_conntrack_pptp >> >> modprobe ip_nat_pptp >> >> iptables -I FORWARD -p 47 -s ?? -j ACCEPT >> >> >> >> On proxyVM: >> >> iptables -I INPUT -p 47 -s -j ACCEPT >> >> >> >> Now, zero the iptables counters, (using -Z), and try to start the vpn. >> >> You should see the counters incrementing both in sys-net and on the >> >> vpn proxy. >> >> If the connection fails look to see if any DROP rules are being >> >> triggered. >> >> By default PPTP uses tcp port 1723 so you could put in a rule to log >> >> that traffic : >> >> iptables -I FORWARD -p tcp --dport 1723 -j LOG >> >> >> >> But it doesnt solve the problem. >> >> >> > >> > 4 year old suggestions will rarely work in Qubes, but the principle is >> > good. >> > I don't use pptp myself, but have set this up for various users - a little >> > more information from your end would be useful. >> > Where are you trying to set up pptp connection from? >> > What does your Qubes netvm structure look like? >> > Have you set up firewall rules to allow INBOUND protocol 47? >> > >> > > > The convention here is not to top-post. > Please scroll to the bottom of the message before you start typing. Or > reply inline. > It only takes you seconds, makes it much easier to follow threads, and > cumulatively saves your fellow users hours. > > Have you allowed inbound proto 47? > TCP port 1723 is the control connection, but the pptp tunnel is GRE - > that's PROTOCOL 47 > It might be helpful if you post your firewall rules > > unman > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/20200607151318.GB14422%40thirdeyesecurity.org. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/M9hhTC7--3-2%40tuta.io.
[qubes-users] Nested Virtualization works on Qubes 4.0 ?
Hi, Qubes Community. Is it possible to use EVE-NG/GNS3 in template vm ? build xenial template apt-add-repository "deb [arch=amd64] http://www.eve-ng.net/repo xenial main" apt-get update && apt-get dist-upgrade Will it work? Anyone tried? -- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/M99uDAb--3-2%40tuta.io.
Re: [qubes-users] Has anyone tried pptp in qubes 4.0?
And i forgot to tell you that pptp doesnt work from sys-net directly else. Do you know why? Journalctl gives me a little info such like "Modem hangs up".So i cant troubleshooting connection. >From another host it works good. Firewall doesnt block 1723 (telnet and ping >to server works) Nat_conntrack enabled in fedora template kernel. Jun 6, 2020, 17:51 by un...@thirdeyesecurity.org: > On Thu, Jun 04, 2020 at 08:25:50PM +0200, 0rb via qubes-users wrote: > >> Telnet 1723 port works and i can ping server?? from >> sys-net/sys-firewall/proxy-vm >> But connection can't be established from proxy-vm. Modem hangs if watch >> journalctl | grep ppptp >> >> [user@sys-net ~]$ lsmod | grep pptp >> nf_nat_pptp?? 16384?? 0 >> nf_nat_proto_gre 16384?? 1 nf_nat_pptp >> nf_conntrack_pptp?? 16384?? 1 nf_nat_pptp >> nf_conntrack_proto_gre?? 16384?? 1 nf_conntrack_pptp >> nf_nat 36864?? 5 >> nf_nat_ipv4,xt_nat,nf_nat_pptp,nf_nat_proto_gre,xt_REDIRECT >> nf_conntrack?? 163840?? 11 >> xt_conntrack,nf_nat,nft_ct,xt_state,nf_conntrack_pptp,ipt_MASQUERADE,nf_nat_ipv4,xt_nat,nf_nat_pptp,nf_conntrack_proto_gre,xt_REDIRECT >> >> Can anyone help how to use ppptp in QubesOS ? >> >> In 2016 Unman says >> >> First you need to allow INBOUND protocol 47: >> On sys-net: >> modprobe ip_conntrack_pptp >> modprobe ip_nat_pptp >> iptables -I FORWARD -p 47 -s ?? -j ACCEPT >> >> On proxyVM: >> iptables -I INPUT -p 47 -s -j ACCEPT >> >> Now, zero the iptables counters, (using -Z), and try to start the vpn. >> You should see the counters incrementing both in sys-net and on the >> vpn proxy. >> If the connection fails look to see if any DROP rules are being >> triggered. >> By default PPTP uses tcp port 1723 so you could put in a rule to log >> that traffic : >> iptables -I FORWARD -p tcp --dport 1723 -j LOG >> >> But it doesnt solve the problem. >> > > 4 year old suggestions will rarely work in Qubes, but the principle is > good. > I don't use pptp myself, but have set this up for various users - a little > more information from your end would be useful. > Where are you trying to set up pptp connection from? > What does your Qubes netvm structure look like? > Have you set up firewall rules to allow INBOUND protocol 47? > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/20200606145106.GB10363%40thirdeyesecurity.org. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/M99n2j---3-2%40tuta.io.
Re: [qubes-users] Has anyone tried pptp in qubes 4.0?
Hi, Unman! I talk about default scheme. I know that pptp insecure, but i need it to test production multicast in corporate networks. Clean Qubes install. net-vm - fedora 30,31,32. firewall-vm - fedora 30,31,32 proxy-vm based on debian-10 template provides network and sys-firewall as netvm (pptp-linux network-manager-pptp network-manager-pptp-gnome packages preinstalled) For any another Linux distro, for example Ubuntu, its enough to establish connection and send igmp query over pptp to router. Can you advice to me which full iptables firewall rules do i need to enable on sys-firewall vm? Thank you. -- Securely sent with Tutanota. Get your own encrypted, ad-free mailbox: https://tutanota.com Jun 6, 2020, 17:51 by un...@thirdeyesecurity.org: > On Thu, Jun 04, 2020 at 08:25:50PM +0200, 0rb via qubes-users wrote: > >> Telnet 1723 port works and i can ping server?? from >> sys-net/sys-firewall/proxy-vm >> But connection can't be established from proxy-vm. Modem hangs if watch >> journalctl | grep ppptp >> >> [user@sys-net ~]$ lsmod | grep pptp >> nf_nat_pptp?? 16384?? 0 >> nf_nat_proto_gre 16384?? 1 nf_nat_pptp >> nf_conntrack_pptp?? 16384?? 1 nf_nat_pptp >> nf_conntrack_proto_gre?? 16384?? 1 nf_conntrack_pptp >> nf_nat 36864?? 5 >> nf_nat_ipv4,xt_nat,nf_nat_pptp,nf_nat_proto_gre,xt_REDIRECT >> nf_conntrack?? 163840?? 11 >> xt_conntrack,nf_nat,nft_ct,xt_state,nf_conntrack_pptp,ipt_MASQUERADE,nf_nat_ipv4,xt_nat,nf_nat_pptp,nf_conntrack_proto_gre,xt_REDIRECT >> >> Can anyone help how to use ppptp in QubesOS ? >> >> In 2016 Unman says >> >> First you need to allow INBOUND protocol 47: >> On sys-net: >> modprobe ip_conntrack_pptp >> modprobe ip_nat_pptp >> iptables -I FORWARD -p 47 -s ?? -j ACCEPT >> >> On proxyVM: >> iptables -I INPUT -p 47 -s -j ACCEPT >> >> Now, zero the iptables counters, (using -Z), and try to start the vpn. >> You should see the counters incrementing both in sys-net and on the >> vpn proxy. >> If the connection fails look to see if any DROP rules are being >> triggered. >> By default PPTP uses tcp port 1723 so you could put in a rule to log >> that traffic : >> iptables -I FORWARD -p tcp --dport 1723 -j LOG >> >> But it doesnt solve the problem. >> > > 4 year old suggestions will rarely work in Qubes, but the principle is > good. > I don't use pptp myself, but have set this up for various users - a little > more information from your end would be useful. > Where are you trying to set up pptp connection from? > What does your Qubes netvm structure look like? > Have you set up firewall rules to allow INBOUND protocol 47? > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/20200606145106.GB10363%40thirdeyesecurity.org. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/M99l_e---3-2%40tuta.io.
[qubes-users] Windows replacement by ReactOS
Hello, Qubes Community! Is there any news? Really replacing Windows is a great idea. I found this. But nightly builds iso doesnt work with hvm (disk detection error) https://groups.google.com/forum/#!searchin/qubes-users/reactos%7Csort:date/qubes-users/QMkUuTMKgbM/nnlrr7kUBgAJ https://jira.reactos.org/browse/CORE-13358 https://github.com/QubesOS/qubes-issues/issues/2809#issuecomment-377487490 -- Securely sent with Tutanota. Get your own encrypted, ad-free mailbox: https://tutanota.com -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/M7JRCAH--B-2%40tuta.io.
Re: [qubes-users] Is it possible to build any BSD template on QubesOS?
If Qubes-builder cannot do this, maybe its possible to migrate template from Proxmox or XCP-ng to Qubes?because the hypervisor is the same, Xen... no one tried to do this? -- Securely sent with Tutanota. Get your own encrypted, ad-free mailbox: https://tutanota.com May 14, 2020, 20:42 by qubes-users@googlegroups.com: > Hello, dhorf-hfref.4a288f10! > after that basic install, you could try if that OS supports pvh mode > You mean i need set gui to "false" on hvm and switch hvm to pvh? Or i need > install qubes-meta packages on it? > I read about openbsd and another xen > implementation > but I don’t understand how it can be applied correctly in Qubes. > https://wiki.xen.org/wiki/FreeBSD_PVH > https://xcp-ng.org/forum/topic/2582/guest-tools-for-openbsd/5 > > ostype=$(sysctl -n kern.ostype) > osrelease=$(sysctl -n kern.osrelease) > > # PV driver version > hostctl attr/PVAddons/MajorVersion 6 > hostctl attr/PVAddons/MinorVersion 2 > hostctl attr/PVAddons/MicroVersion 0 > hostctl attr/PVAddons/BuildVersion 76888 > hostctl attr/PVAddons/Installed 1 > > # OS version > hostctl data/os_name "$ostype $osrelease" > hostctl data/os_uname $osrelease > hostctl data/os_distro $ostype > > # Update XenStore > hostctl data/updated 1 > > -- > Securely sent with Tutanota. Get your own encrypted, ad-free mailbox: > https://tutanota.com > > > May 14, 2020, 20:15 by dhorf-hfref.4a288...@hashmail.org: > >> On Thu, May 14, 2020 at 06:56:56PM +0200, onelovecisco via qubes-users wrote: >> >>> In PHV mode like Fedora-31 or Debian-10. >>> Is the Qubes-builder capable of this? >>> >> >> qubes-builder most certainly can not build bsd templates. >> >> but like almost any PC OS, you can install it in hvm mode, >> and that should give you a single graphical interface window, >> xl console and network access. >> >> after that basic install, you could try if that OS supports pvh mode. >> but that is probably an interesting can of worms. >> > > > > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > qubes-users+unsubscr...@googlegroups.com> . > To view this discussion on the web visit > > https://groups.google.com/d/msgid/qubes-users/M7JGymo--7-2%40tuta.io > <https://groups.google.com/d/msgid/qubes-users/M7JGymo--7-2%40tuta.io?utm_medium=email&utm_source=footer>> > . > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/M7JJoQ5--3-2%40tuta.io.
Re: [qubes-users] Is it possible to build any BSD template on QubesOS?
Hello, dhorf-hfref.4a288f10! after that basic install, you could try if that OS supports pvh mode You mean i need set gui to "false" on hvm and switch hvm to pvh? Or i need install qubes-meta packages on it? I read about openbsd and another xen implementation but I don’t understand how it can be applied correctly in Qubes. https://wiki.xen.org/wiki/FreeBSD_PVH https://xcp-ng.org/forum/topic/2582/guest-tools-for-openbsd/5 ostype=$(sysctl -n kern.ostype) osrelease=$(sysctl -n kern.osrelease) # PV driver version hostctl attr/PVAddons/MajorVersion 6 hostctl attr/PVAddons/MinorVersion 2 hostctl attr/PVAddons/MicroVersion 0 hostctl attr/PVAddons/BuildVersion 76888 hostctl attr/PVAddons/Installed 1 # OS version hostctl data/os_name "$ostype $osrelease" hostctl data/os_uname $osrelease hostctl data/os_distro $ostype # Update XenStore hostctl data/updated 1 -- Securely sent with Tutanota. Get your own encrypted, ad-free mailbox: https://tutanota.com May 14, 2020, 20:15 by dhorf-hfref.4a288...@hashmail.org: > On Thu, May 14, 2020 at 06:56:56PM +0200, onelovecisco via qubes-users wrote: > >> In PHV mode like Fedora-31 or Debian-10. >> Is the Qubes-builder capable of this? >> > > qubes-builder most certainly can not build bsd templates. > > but like almost any PC OS, you can install it in hvm mode, > and that should give you a single graphical interface window, > xl console and network access. > > after that basic install, you could try if that OS supports pvh mode. > but that is probably an interesting can of worms. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/M7JGymo--7-2%40tuta.io.
[qubes-users] Is it possible to build any BSD template on QubesOS?
Hello, Qubes Community. In PHV mode like Fedora-31 or Debian-10. Is the Qubes-builder capable of this? I once did it on 3.1 version, but now this is no longer relevant. https://www.qubes-os.org/doc/netbsd/ and I could only get there through "xl console" -- Securely sent with Tutanota. Get your own encrypted, ad-free mailbox: https://tutanota.com -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/M7J6WR9--3-2%40tuta.io.
[qubes-users] Qubes and Salt question
Hello, Qubes Community! Can you help me how to correctly use Salt in dom0 for automate tasks. For example, i need to clone debian-10 template and install toolchain on it. apt install -y \ build-essential \ zlib1g-dev uuid-dev libdigest-sha-perl \ libelf-dev \ bc \ bzip2 \ bison \ flex \ git \ gnupg \ iasl \ m4 \ nasm \ patch \ python \ wget \ gnat \ cpio \ ccache \ pkg-config \ cmake \ libusb-1.0-0-dev \ pkg-config \ texinfo \ Qubes Salt files stored at /srv folder as root. where do i need to put my custom *.sls files?and how launch it use qubesctl from dom0? Thanks. -- Securely sent with Tutanota. Get your own encrypted, ad-free mailbox: https://tutanota.com -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/M7J0Asf--3-2%40tuta.io.
