Re: [qubes-users] Re: Possible to add second interface to sys-firewall?

[Ron Hunter-Duvar]

On 10/06/2017 01:41 PM, Ed wrote:

On 10/06/2017 03:14 PM, Mike Keehan wrote:

On Fri, 6 Oct 2017 12:17:26 -0400
Ed  wrote:


On 10/06/2017 12:10 PM, Mike Keehan wrote:



Wouldn't it be possible to add a second Firewall VM to be used
solely by your special single vm?


Yes I believe this would def work, and also should be
automatic/reliable across reboots, but I was really hoping to not
give up 2-4GB of RAM just for this purpose.



I think you will find that the firewall VM runs OK in just 500Mb, maybe
less.  Search the mail list for "vm memory" - there have been a number
of discussions about how much is actually used by the system VMs.  (I
can't remember the details off hand, or I would give more info!)

It is worth knowing that although a VM is initially set up with a 4Gb
memory allocation, it only uses what it needs.   The rest is still
available to the other qubes etc.


    Mike.



You know that's not a bad point.  I never really looked into reducing 
the memory allotment.  I just know anecdotally on my systems the 
firewall vm's use 2-3GB (when left with the default max of 4GB).  I 
also know they will run on less if I'm pushing a system out of memory 
but I never though to just restrict them to less to start.


I'm not really strapped for memory on the machine I'm working with 
here so it does look like adding an additional firewall VM would be 
the easiest way to get what I want, it just seemed a tad wasteful to 
me, but perfect is the enemy of good


Appreciate the input!



IMO, it's best to leave memory management to the OS until such time as a 
definite problem is found (which would most likely show up as swapping, 
which would cause massive performance problems).


I suspect you'd find if you looked closely at the vm that most of the 
memory used is for caching. That's a good thing. No point having memory 
sit unused and forcing to to keep downloading the same files. The moment 
the cache is needed for something else, it'll be reallocated.


Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/976e6d2e-b2ab-4e82-3a9b-4ac1a001c7b5%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Possible to add second interface to sys-firewall?

[Unman]

On Fri, Oct 06, 2017 at 03:41:26PM -0400, Ed wrote:
> On 10/06/2017 03:14 PM, Mike Keehan wrote:
> > On Fri, 6 Oct 2017 12:17:26 -0400
> > Ed  wrote:
> > 
> > > On 10/06/2017 12:10 PM, Mike Keehan wrote:
> > > 
> > > > 
> > > > Wouldn't it be possible to add a second Firewall VM to be used
> > > > solely by your special single vm?
> > > 
> > > Yes I believe this would def work, and also should be
> > > automatic/reliable across reboots, but I was really hoping to not
> > > give up 2-4GB of RAM just for this purpose.
> > > 
> > 
> > I think you will find that the firewall VM runs OK in just 500Mb, maybe
> > less.  Search the mail list for "vm memory" - there have been a number
> > of discussions about how much is actually used by the system VMs.  (I
> > can't remember the details off hand, or I would give more info!)
> > 
> > It is worth knowing that although a VM is initially set up with a 4Gb
> > memory allocation, it only uses what it needs.   The rest is still
> > available to the other qubes etc.
> > 
> > 
> > Mike.
> > 
> 
> You know that's not a bad point.  I never really looked into reducing the
> memory allotment.  I just know anecdotally on my systems the firewall vm's
> use 2-3GB (when left with the default max of 4GB).  I also know they will
> run on less if I'm pushing a system out of memory but I never though to just
> restrict them to less to start.
> 
> I'm not really strapped for memory on the machine I'm working with here so
> it does look like adding an additional firewall VM would be the easiest way
> to get what I want, it just seemed a tad wasteful to me, but perfect is the
> enemy of good
> 
> Appreciate the input!

I standardly reduce memory on all system qubes to 300M with no ill
effects, and restrict most of my other qubes to 400M.
Compiling and number crunching I set high.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171006224554.pzwyoets53mrh53j%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Possible to add second interface to sys-firewall?

[Ed]

On 10/06/2017 03:14 PM, Mike Keehan wrote:

On Fri, 6 Oct 2017 12:17:26 -0400
Ed  wrote:


On 10/06/2017 12:10 PM, Mike Keehan wrote:



Wouldn't it be possible to add a second Firewall VM to be used
solely by your special single vm?
   


Yes I believe this would def work, and also should be
automatic/reliable across reboots, but I was really hoping to not
give up 2-4GB of RAM just for this purpose.



I think you will find that the firewall VM runs OK in just 500Mb, maybe
less.  Search the mail list for "vm memory" - there have been a number
of discussions about how much is actually used by the system VMs.  (I
can't remember the details off hand, or I would give more info!)

It is worth knowing that although a VM is initially set up with a 4Gb
memory allocation, it only uses what it needs.   The rest is still
available to the other qubes etc.


Mike.



You know that's not a bad point.  I never really looked into reducing 
the memory allotment.  I just know anecdotally on my systems the 
firewall vm's use 2-3GB (when left with the default max of 4GB).  I also 
know they will run on less if I'm pushing a system out of memory but I 
never though to just restrict them to less to start.


I'm not really strapped for memory on the machine I'm working with here 
so it does look like adding an additional firewall VM would be the 
easiest way to get what I want, it just seemed a tad wasteful to me, but 
perfect is the enemy of good


Appreciate the input!

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/or8m8v%24fq9%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Possible to add second interface to sys-firewall?

[Mike Keehan]

On Fri, 6 Oct 2017 12:17:26 -0400
Ed  wrote:

> On 10/06/2017 12:10 PM, Mike Keehan wrote:
> 
> > 
> > Wouldn't it be possible to add a second Firewall VM to be used
> > solely by your special single vm?
> >   
> 
> Yes I believe this would def work, and also should be
> automatic/reliable across reboots, but I was really hoping to not
> give up 2-4GB of RAM just for this purpose.
> 

I think you will find that the firewall VM runs OK in just 500Mb, maybe
less.  Search the mail list for "vm memory" - there have been a number
of discussions about how much is actually used by the system VMs.  (I
can't remember the details off hand, or I would give more info!)

It is worth knowing that although a VM is initially set up with a 4Gb
memory allocation, it only uses what it needs.   The rest is still
available to the other qubes etc.


   Mike.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171006201423.20721c2b.mike%40keehan.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Possible to add second interface to sys-firewall?

[Ed]

On 10/06/2017 12:14 PM, filtration wrote:


Can you create another sys-net chain with the second interface? You
could keep things isolated without scripting. Assuming you are using
Qubes 3.2, the interface could be assigned to sys-net-2 via VM
Settings->Devices.



Looks like you and both Mike Keehan had the same/similar idea.

I could add a second firewall vm and use the same sys-net (I don't think 
I could use a different sys-net as easily because I want to use the same 
pci network device, just attach another IP)


In fact this machine already has two NIC's and two separate 
sys-net/sys-firewall setups on it so I can route some vm's out entirely 
separate physical interfaces.


But really I was hoping to accomplish this without adding the additional 
memory overhead of another sys-firewall instance.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/or8ahe%2435a%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Possible to add second interface to sys-firewall?

[filtration]

Assuming you mean a physical interface.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/or8a8m%2448c%242%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Possible to add second interface to sys-firewall?

[Ed]

On 10/06/2017 12:10 PM, Mike Keehan wrote:



Wouldn't it be possible to add a second Firewall VM to be used solely
by your special single vm?



Yes I believe this would def work, and also should be automatic/reliable 
across reboots, but I was really hoping to not give up 2-4GB of RAM just 
for this purpose.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/or8aaf%24bvb%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Possible to add second interface to sys-firewall?

[filtration]

> What I would like to do is add a second IP to both sys-firewall and
> sys-net so that I can NAT traffic from one of my VM's in/out through
> these IP's.  So what I end up with is two IP's on sys-net, one handling
> all the traffic for most of my VM's, the other handling traffic for one
> specific VM.  This way I can do additional firewall restrictions on this
> VM in my networks.
>
> If I manually add the IP addresses to sys-net and sys-firewall, manually
> add the destination NAT and source NAT rules to both as well, then
> manually add a route in sys-net, and also force another rule into the
> IPTABLES raw table on sys-net (to override a rule added by
> /etc/xen/scripts/vif-routes-qubes which restricts all incoming traffic
> from sys-firewall to the IP assigned by qubes to the default interface),
> then I'm able to make this work.
>
> However, this is very finicky and totally unscriptable in this
> configuration, and I'd really like this to be something auto configured
> on boot.
>
> I've look and looked and don't see where I can add a second interface
> definition to any config files.  If I manually edit the xen
> sys-firewall.conf file it just gets overwitten by qubes.  I can do all
> the iptables rules I need in the /rw/config scripts, but what I really
> need is for sys-firewall to add another virtual interface for me.
>
> I tried running: sudo xl network-attach sys-firewall
> script=/etc/xen/scripts/vif-route-qubes ip=10.150.10.10 backend=sys-net
> This will add the interface and setup sys-net with the correct routes
> and rules, HOWEVER, the interface that it adds to sys-firewall has the
> same IP as the existing interface which breaks all the traffic going out
> of sys-firewall
>
> Has anyone ever had any success doing something like this?
>
> Any suggestions out there?
>
> Thanks,
> Ed
>
Can you create another sys-net chain with the second interface? You
could keep things isolated without scripting. Assuming you are using
Qubes 3.2, the interface could be assigned to sys-net-2 via VM
Settings->Devices.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/or8a5b%2448c%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.