Re: [qubes-users] No wired internet (Intel I219-LM) on new 4.1 install
M: I can access https://1.1.1.1. But not cloudflare.com. On Saturday, 28 May 2022 at 23:17:34 UTC+3 M wrote: According the doc, you don't need to do that. Firewall policy which is see with qvm-firewall sys-firewall: 0. tcp 443 1. dns 2. icmp 3. drop I still can't solve the problem. On Wednesday, 25 May 2022 at 07:18:35 UTC+3 sv...@svensemmler.org wrote: On 5/24/22 08:36, M wrote: sys-firewall - limit traffic to * on TCP port 443. I tried ping google from sys-net and sys-firewall terminal. From sys-net domain+ip went through, sys-firewall only ip. Don't set firewall rules directly on sys-firewall. Set them instead on the AppVMs that connect through sys-firewall. -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8e20ab13-3ede-a336-210f-60ba3c795426%40danwin1210.de.
Re: [qubes-users] No wired internet (Intel I219-LM) on new 4.1 install
I can access https://1.1.1.1. But not cloudflare.com. On Saturday, 28 May 2022 at 23:17:34 UTC+3 M wrote: > According the doc, you don't need to do that. > Firewall policy which is see with qvm-firewall sys-firewall: > 0. tcp 443 > 1. dns > 2. icmp > 3. drop > > I still can't solve the problem. > On Wednesday, 25 May 2022 at 07:18:35 UTC+3 sv...@svensemmler.org wrote: > >> On 5/24/22 08:36, M wrote: >> > sys-firewall - limit traffic to * on TCP port 443. >> > I tried ping google from sys-net and sys-firewall terminal. >> > From sys-net domain+ip went through, sys-firewall only ip. >> >> * ping uses ICMP which the firewall will always let through unless you >> use qvm-firewall >> * DNS queries are routed by Qubes OS to the netvm, which is in your case >> sys-firewall >> * once you allow UDP port 53 in the firewall settings in sys-firewall DNS >> should work >> >> > Updates are also not working. >> >> Well, they need DNS. ;-) ... and also Fedora will try to contact some >> HTTP URLs >> >> If you don't want to allow HTTP in sys-firewall, you can >> >> 1. clone it to sys-update >> 2. set sys-update as updatevm and in the policy for updates >> 3. allow HTTP for sys-update >> 4. set "provides networking" to false for sys-update >> >> That means sys-update will be used as update proxy but no other qube can >> use it as network (netvm). >> >> /Sven >> >> -- >> public key: https://www.svensemmler.org/2A632C537D744BC7.asc >> fingerprint: DA59 75C9 ABC4 0C83 3B2F 620B 2A63 2C53 7D74 4BC7 >> > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6f6d1ee2-6268-413c-93ed-3840d8197a63n%40googlegroups.com.
Re: [qubes-users] No wired internet (Intel I219-LM) on new 4.1 install
According the doc, you don't need to do that. Firewall policy which is see with qvm-firewall sys-firewall: 0. tcp 443 1. dns 2. icmp 3. drop I still can't solve the problem. On Wednesday, 25 May 2022 at 07:18:35 UTC+3 sv...@svensemmler.org wrote: > On 5/24/22 08:36, M wrote: > > sys-firewall - limit traffic to * on TCP port 443. > > I tried ping google from sys-net and sys-firewall terminal. > > From sys-net domain+ip went through, sys-firewall only ip. > > * ping uses ICMP which the firewall will always let through unless you use > qvm-firewall > * DNS queries are routed by Qubes OS to the netvm, which is in your case > sys-firewall > * once you allow UDP port 53 in the firewall settings in sys-firewall DNS > should work > > > Updates are also not working. > > Well, they need DNS. ;-) ... and also Fedora will try to contact some HTTP > URLs > > If you don't want to allow HTTP in sys-firewall, you can > > 1. clone it to sys-update > 2. set sys-update as updatevm and in the policy for updates > 3. allow HTTP for sys-update > 4. set "provides networking" to false for sys-update > > That means sys-update will be used as update proxy but no other qube can > use it as network (netvm). > > /Sven > > -- > public key: https://www.svensemmler.org/2A632C537D744BC7.asc > fingerprint: DA59 75C9 ABC4 0C83 3B2F 620B 2A63 2C53 7D74 4BC7 > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/18ea6cba-e769-446d-b19f-73dfdb244073n%40googlegroups.com.
Re: [qubes-users] No wired internet (Intel I219-LM) on new 4.1 install
On 5/24/22 08:36, M wrote: sys-firewall - limit traffic to * on TCP port 443. I tried ping google from sys-net and sys-firewall terminal. From sys-net domain+ip went through, sys-firewall only ip. * ping uses ICMP which the firewall will always let through unless you use qvm-firewall * DNS queries are routed by Qubes OS to the netvm, which is in your case sys-firewall * once you allow UDP port 53 in the firewall settings in sys-firewall DNS should work Updates are also not working. Well, they need DNS. ;-) ... and also Fedora will try to contact some HTTP URLs If you don't want to allow HTTP in sys-firewall, you can 1. clone it to sys-update 2. set sys-update as updatevm and in the policy for updates 3. allow HTTP for sys-update 4. set "provides networking" to false for sys-update That means sys-update will be used as update proxy but no other qube can use it as network (netvm). /Sven -- public key: https://www.svensemmler.org/2A632C537D744BC7.asc fingerprint: DA59 75C9 ABC4 0C83 3B2F 620B 2A63 2C53 7D74 4BC7 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bbe90e79-6db5-544a-e990-53233d641193%40SvenSemmler.org. OpenPGP_signature Description: OpenPGP digital signature