Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world

2016-08-22 Thread nishiwaka46
Le lundi 22 août 2016 17:43:35 UTC+2, Andrew David Wong a écrit :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On the contrary, we care greatly about translating the documentation into
> other languages. We're working with Transifex right now to have the
> documentation translated:
> 
> https://github.com/QubesOS/qubes-issues/issues/1452
> 
Ok my bad, I didn't knew about this projet. Then it is fine, it would help a 
lot people not used to read english.
>
> We welcome your participation! Michael (CCed) is the main contact with
> Transifex. He may have a better idea about how members of the Qubes community
> like yourself can get involved.
> 
Ok thank you, he can contact me on this email if you want me to help to traduce 
some pages, no problem. I don't type very fast and I'm not that young, but if 
you lack people to help traduce in their native langage, I can help.
>
> I didn't mean to suggest that it's immune to criticism. On the contrary,
> constructive criticism is always welcome.
>
Sure, I was just a bit on nerves yesterday, sorry about that.
>
> However, you said, "I don't get why documentation don't address..." I was
> simply explaining why. The documentation is lacking such things because no one
> has contributed them.
>
> I think it's fair to beseech documentation contributors to consider these
> things. But, in the end, it's up to them what knowledge (if any) they will
> contribute.
>  
Good point, I have thought about your answer yesterday more rested and just 
begun a course today about TCP/IP networks, OSI model in 7 layers to understand 
better how routing works, how packets travel from layer 7 to your own switch / 
bridge ! This is quite interesting, but my attention scattered to another one 
on how to convert decimals numbers into hexadecimals or binary numbers ^^
>
I don't know if it's going to be useful, but yes, it was interesting to realize 
an IPv4 adress is coded on 32 bits, which is 4 octets, and that 1 octet reach 
255 maximum in decimal form because it is coded on 8 bits, which is 2^8=256, 
and as you start from 0, you get this number. And that we're going to switch to 
IPv6 because you have only 2^32 numbers available (4,2 billions) and we are 
already 7,3 billions here on Earth ! That's also why I want to host my website 
on my own cpu bc you need energy to make a server work, Earth is dying, who 
cares my beginner site being unavailable 8-12 hours a day, as long as I warn 
folk when it opens lol. You can also think about Qubes in an ecological point 
of view as it centralizes different OS and allows you to avoid having more 
computers to preserve data : you save energy.
>
Those numbers make you wonder how unreal in less than 50 years we went from 1 
bit (0-1), to this very simple potential electric difference coding 2 values, 
to a world wide web page full of data ^^ I guess we invented aliens to 
communicate with we didn't found (yet) so far :D Because if you think about one 
typo here, like my little D surrounded by 2 symbols (lol), if you think about 
all characters options available in all languages over the whole world for 
those 2 symbols, I wouldn't be surprise this beast gets so huge that it can't 
hold in 1 octet/1byte/256 options haha (btw in french you add e to "bit", you 
get a D :D). I hope you enjoy my delicate poetry on digits man lol ~
>
P.S. : If quoting you fails again, please excuse me, I don't get how to do it 
properly inside your message :(
>
> - -- 
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
> 
> iQIcBAEBCgAGBQJXux2fAAoJENtN07w5UDAw4wUP/j0uDCgbx80Cm714mi6vDB/Z
> 8NBXlMLV6hzA8HtVW3Z2Rfo7pY/Fe8uQLskJ+h8SluWDw2srUHXSsv2ETIBsUzC9
> 0m9HaSLJU+UxO7Vc8VFi2FTiUlFKxhBnhFYWGwSqir0QI+OZP6Mx1id/MgtvGkYk
> TDWtljt7hvgjR6hnX1GqU6u0Bg3O1KZHSNhcC98RQZjy9LWOgIkAPKWpK98FheYi
> N5QMRTJwfrUEFIEumCf6xzG3jiolJlmGEPkKDfk9+GaKxd0koHbENMWqfvlz2Zbo
> pq9gBzkW44K88pcWpS4CLkvonMDdXienRWzy7ut5kQsEfNuw4MVGMkqy9YUGkhlJ
> 9mbZx8AB1yPs0LRdQpCk9noh4g4QWr9XREHQC2+FgazYQD1P4rcZDXt8r0JJdH2W
> E5GJbqWWwQj+Rn0VbI4TbuXZJlw8gOeiUXRSKu821EhXu37dtiNI+XKszx8iPfXA
> 9EbAd9O4hulVq3866eWX86Sc/MKnNE/Frw0M8ObHvvXnweI2VwUNMeZCJ2VKO5KG
> vWQkTi83YAkHqvk8YOFCV7+oOQAyGymHZzjCUWvOWvDjBX/wtSgcmEt3rMq8MklX
> G3ZFzGdkC2h2VeEqwojhMNZ1UWHNvwv+KV6ySJf5p3ZrGqZKO6olIlbZZNnT2HDe
> OW2eq0Sr3P3Qtdn9iXao
> =6qZC
> -END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0b4dfff0-4c9a-42ac-9356-8fedd7bd4306%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world

2016-08-22 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-08-22 02:47, nishiwak...@gmail.com wrote:
> I would love as well to be able to host a website to share my interest for 
> Qubes OS with the world, or at least with people of my country sharing my
> own language if you don't mind, because Qubes OS documentation looks like
> imo being written mostly by native english users that don't seem to care
> much for non-native english users being lost.

On the contrary, we care greatly about translating the documentation into
other languages. We're working with Transifex right now to have the
documentation translated:

https://github.com/QubesOS/qubes-issues/issues/1452

> I would this way really like to participate to some translation effort, as
> I don't necessarily think you can enter easily those quite complicated
> notions with your non-native language.

We welcome your participation! Michael (CCed) is the main contact with
Transifex. He may have a better idea about how members of the Qubes community
like yourself can get involved.

> Qubes documentation being largely a volonteer effort doesn't make it
> immune to the critics,

I didn't mean to suggest that it's immune to criticism. On the contrary,
constructive criticism is always welcome.

However, you said, "I don't get why documentation don't address..." I was
simply explaining why. The documentation is lacking such things because no one
has contributed them.

> and mine is that people spending this valuable time to share their
> knowledge to make people enter quite long and complicated procedures should
> consider that : 1) Explaining how to do port forwarding without adressing
> or refering to basic knowledge upon this concept leads to frustration, as
> you necessarily need to understand a bit what's going on in order to adapt
> the procedures. 2) Even if I think people mostly appreciate and are
> thankful to the Qubes community developpment for the incredible security
> improvement Qubes OS brings to everyone and that makes Qubes OS probably
> the best OS I know so far, when security isolation somehow puts you in cage
> where you encounter difficulties to communicate with rest of the world,
> well that's not the goal per se :p
> 

I think it's fair to beseech documentation contributors to consider these
things. But, in the end, it's up to them what knowledge (if any) they will
contribute.

> But no problem, thank you for your help. I hope someone might give me some 
> advices on this problem, but I am already trying to learn on iptables, as
> it looks like you can't unblock ports using only Qubes firewall, you have
> to understand these iptables scripts ^^
> 

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXux2fAAoJENtN07w5UDAw4wUP/j0uDCgbx80Cm714mi6vDB/Z
8NBXlMLV6hzA8HtVW3Z2Rfo7pY/Fe8uQLskJ+h8SluWDw2srUHXSsv2ETIBsUzC9
0m9HaSLJU+UxO7Vc8VFi2FTiUlFKxhBnhFYWGwSqir0QI+OZP6Mx1id/MgtvGkYk
TDWtljt7hvgjR6hnX1GqU6u0Bg3O1KZHSNhcC98RQZjy9LWOgIkAPKWpK98FheYi
N5QMRTJwfrUEFIEumCf6xzG3jiolJlmGEPkKDfk9+GaKxd0koHbENMWqfvlz2Zbo
pq9gBzkW44K88pcWpS4CLkvonMDdXienRWzy7ut5kQsEfNuw4MVGMkqy9YUGkhlJ
9mbZx8AB1yPs0LRdQpCk9noh4g4QWr9XREHQC2+FgazYQD1P4rcZDXt8r0JJdH2W
E5GJbqWWwQj+Rn0VbI4TbuXZJlw8gOeiUXRSKu821EhXu37dtiNI+XKszx8iPfXA
9EbAd9O4hulVq3866eWX86Sc/MKnNE/Frw0M8ObHvvXnweI2VwUNMeZCJ2VKO5KG
vWQkTi83YAkHqvk8YOFCV7+oOQAyGymHZzjCUWvOWvDjBX/wtSgcmEt3rMq8MklX
G3ZFzGdkC2h2VeEqwojhMNZ1UWHNvwv+KV6ySJf5p3ZrGqZKO6olIlbZZNnT2HDe
OW2eq0Sr3P3Qtdn9iXao
=6qZC
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4a7efd74-de1c-d72a-a345-f5c39f32d5d3%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world

2016-08-22 Thread nishiwaka46
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On 2016-08-21 16:43, nishiwak...@gmail.com wrote:
> > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On 
> > 2016-08-21 04:02, nishiwak...@gmail.com wrote:
>  Any help to configure sys-firewall would be also really appreciated.
>  I got this annoying pop-up when I click on "Firewall rules" tab under
>  the sys-firewall proxyVM settings :
>  
>  "The 'sys-firewall' AppVM is not network connected to a FirewallVM!
>  
>  You may edit the 'sys-firewall' VM firewall rules, but these will
>  not take any effect until you connect it to a working Firewall VM."
>  
>  Only subject related to this problem I found is this message from
>  Unman on Qubes-users group :
>  
>  "When you configure the firewall rules for a vm those rules are
>  applied ON THE FIREWALL to which the vm is attached. So the error
>  message you get is entirely accurate - your firewall is not attached
>  to a firewall and so the rules cannot be applied. Of course you COULD
>  configure a firewall between the fw and the netvm but the same
>  consideration would apply to THAT fw. There's no reason why you cant
>  configure the fw iptables by hand if you want to: you can use 
>  /rw/config/qubes-firewall-user-script to have these rules applied 
>  automatically."
>  
>  Ok so here's what I understand from this message : this proxyVM 
>  Firewall is probably working but rules don't apply because it is 
>  attached to a NetVM, which don't have any firewall policies by 
>  default.
>  
>  https://www.qubes-os.org/doc/qubes-firewall/ Official documentation 
>  says : "Every VM in Qubes is connected to the network via a
>  FirewallVM, which is used to enforce network-level policies. By
>  default there is one default Firewall VM, but the user is free to
>  create more, if needed."
>  
>  And then you got explanations on how to edit rules in a specific VM
>  for a given domain.
>  
>  So I understand you have to edit rules on a AppVM to open up ports 
>  there, but I mean not everyone running Qubes OS is highly graduated
>  in IT and network routing.
>  
>  I find quite disappointing that the official documentation don't 
>  mention more clearly how to set up the default sys-firewall proxyVM, 
>  like if you are supposed to check either "Deny network access
>  except" or "Allow network access except" button or if that doesn't
>  matter, if those policies won't apply anyway because of this
>  pop-up...
>  
> > 
> > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even
> >  there.
> > 
> > Suppose you have an AppVM in which you want to enforce specific firewall 
> > rules. You should go into the VM settings for *that VM*, then the "Firewall
> >  rules" tab, then configure your firewall rules there. These firewall
> > rules are then *enforced by* sys-firewall under the hood. Enforcing these
> > rules for other VMs is sys-firewall's raison d'être.
> > 
> > By default, there is only one VM with this job: sys-firewall. Therefore, 
> > there is no other VM that can perform this job *for* sys-firewall. But
> > that's not a problem, because there's usually no reason to specify firewall
> > rules for sys-firewall itself anyway. (Besides, you're free to create as
> > many ProxyVMs as you like an chain them together.)
> > 
> > 
> > Ok, thank you very much for your help. Unfortunately I still have great 
> > difficulties to open up port 443 or 80 on an AppVM.
> > 
> > I have read this comment on another thread from Alex Dubois saying :
> > 
> > "A diagram in the wiki would help people understand.
> > 
> > For now: A packet comming from the outside has a sourceIP of the
> > workstation on the LAN that issued it or the router that routed the packet
> > into your LAN and a destinationIP of your netVM externalIP (probably
> > 192.168.0.x). The NetVM iptables rules are going to transform it to a
> > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM
> > iptables rule are going to transform it to a packet with a desktinationIP
> > of your AppVM (10.137.2.16)."
> > 
> > I completely agree with him, a diagram would really help. I don't get why 
> > documentation don't address the routing basics stuff that isn't really
> > basic for newbies, for random people.
> 
> The documentation is largely a volunteer effort. I'm afraid we simply don't
> have the workforce to make all necessary and desirable improvements to the
> documentation. We would love it if someone would submit a pull request adding
> such a diagram or, in general, improving that page.
> 
> > I like a lot Qubes, this is an awesome OS, but far too complicated for
> > mister everyone. I am at the point right now where frustration becomes
> > 

Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world

2016-08-22 Thread nishiwaka46
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> The documentation is largely a volunteer effort. I'm afraid we simply don't
> have the workforce to make all necessary and desirable improvements to the
> documentation. We would love it if someone would submit a pull request adding
> such a diagram or, in general, improving that page.

I would love as well to be able to host a website to share my interest for 
Qubes OS with the world, or at least, with people of my country sharing my own 
language, if you don't mind, because Qubes documentation looks like imo being 
written mostly by native english users that don't seem to care much for 
non-native english users being lost. I would this way really like to 
participate to some translation effort, as I don't necessarily think you can 
enter easily those quite complicated notions with your non-native language.
Qubes documentation being largely a volonteer effort doesn't make it immune to 
the critics, and mine is that people spending this valuable time to share their 
knowledge to make people enter quite long and complicated procedures should 
consider that :
1) Explaining how to do port forwarding without adressing or refering to basic 
knowledge upon this concept leads to frustration, as you necessarily need to 
understand a bit what's going on in order to adapt the procedures.
2) Even if I think people mostly appreciate and are thankful to the Qubes 
community developpment for the incredible security improvement Qubes OS brings 
to everyone and that makes Qubes OS probably the best OS I know so far, when 
security isolation somehow puts you in cage where you encounter difficulties to 
communicate with rest of the world, well that's not the goal per se :p

> Sorry, this is beyond my knowledge. My own use of Qubes (as a regular user)
> has never occasioned the need to port forward to a VM from the outside world.
> Perhaps it's worth appreciating that what you're attempting to do is somewhat
> advanced, and therefore you should not expect it to be extremely simple. In
> any case, I hope someone knowledgeable about networking will chime in to help
> you with this.

No problem, thank you for your help. I hope someone might give me some advices 
on this problem, but I am already trying to learn on iptables, as it looks like 
you can't unblock ports using only Qubes firewall, you have to understand these 
iptables scripts ^^
  
> - -- 
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
> 
> iQIcBAEBCgAGBQJXulK8AAoJENtN07w5UDAwKRgP/3qtwhSLXRCI03DqA76JMo2o
> 2d24pqwjw9f/rX3ep36qHN1Y4iSSP/la/ze9dgoWPnyXakrB8R7olqasV2o4Z9+v
> ZyLqSOKF6R2KPUSyl1vE6Tc4F6l068wOcQnNphq+tmZEHX8VFprYgkzchXCMj9fp
> sVsU7Xk0prNXs/FWqxzPTJzbC7lPRuJ0OBTHdj8uvatJ6eeb6QxRI3hKWu2nXpCM
> 7ugxLc8Lvy5Ntjp40DoQOMidSDU2WmNyUBAfrlUGjIXVxu7mzk45P67cPG5Zuvo9
> KchQgu44N4bgm2tdkHg248iyB/GzolsObs3BQCzadMz7E2jv8YVU8u0rAD41OGON
> rDTqnDp5VEdo72iNijyZkXh+in/cmtAG9FY1JisTgeZhxTXJmMlzduDIaB2+QjBH
> UBeU9DxeeXtthmYIlmoq40gbLUnEW4KkMfyky99vWZcUHnCzdVd9l12+PDJkIAF5
> N2la7fqnAh5ElsdT3nBzECb7C5CYtW3zFB/oEDrmsObinIF5E0ohPdwWnXn++jCF
> kwurhgtReWPCxfd+JeIJTi3bQxE24pnPkTT4KYPcOloE9RHwGd5EsAIxkvbPb/po
> aUn1edDzVtnoyrXa/FVODd0IxW9TjFq1RGk8d9mXPSb01fKrKIOUQXnhyfwiY5gK
> sW6MaE08rTguFWY2Ng9q
> =E9Mf
> -END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b4d805e9-e81a-422b-a8a2-67a5b2578091%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world

2016-08-22 Thread nishiwaka46
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On 2016-08-21 16:43, nishiwak...@gmail.com wrote:
> > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On 
> > 2016-08-21 04:02, nishiwak...@gmail.com wrote:
>  Any help to configure sys-firewall would be also really appreciated.
>  I got this annoying pop-up when I click on "Firewall rules" tab under
>  the sys-firewall proxyVM settings :
>  
>  "The 'sys-firewall' AppVM is not network connected to a FirewallVM!
>  
>  You may edit the 'sys-firewall' VM firewall rules, but these will
>  not take any effect until you connect it to a working Firewall VM."
>  
>  Only subject related to this problem I found is this message from
>  Unman on Qubes-users group :
>  
>  "When you configure the firewall rules for a vm those rules are
>  applied ON THE FIREWALL to which the vm is attached. So the error
>  message you get is entirely accurate - your firewall is not attached
>  to a firewall and so the rules cannot be applied. Of course you COULD
>  configure a firewall between the fw and the netvm but the same
>  consideration would apply to THAT fw. There's no reason why you cant
>  configure the fw iptables by hand if you want to: you can use 
>  /rw/config/qubes-firewall-user-script to have these rules applied 
>  automatically."
>  
>  Ok so here's what I understand from this message : this proxyVM 
>  Firewall is probably working but rules don't apply because it is 
>  attached to a NetVM, which don't have any firewall policies by 
>  default.
>  
>  https://www.qubes-os.org/doc/qubes-firewall/ Official documentation 
>  says : "Every VM in Qubes is connected to the network via a
>  FirewallVM, which is used to enforce network-level policies. By
>  default there is one default Firewall VM, but the user is free to
>  create more, if needed."
>  
>  And then you got explanations on how to edit rules in a specific VM
>  for a given domain.
>  
>  So I understand you have to edit rules on a AppVM to open up ports 
>  there, but I mean not everyone running Qubes OS is highly graduated
>  in IT and network routing.
>  
>  I find quite disappointing that the official documentation don't 
>  mention more clearly how to set up the default sys-firewall proxyVM, 
>  like if you are supposed to check either "Deny network access
>  except" or "Allow network access except" button or if that doesn't
>  matter, if those policies won't apply anyway because of this
>  pop-up...
>  
> > 
> > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even
> >  there.
> > 
> > Suppose you have an AppVM in which you want to enforce specific firewall 
> > rules. You should go into the VM settings for *that VM*, then the "Firewall
> >  rules" tab, then configure your firewall rules there. These firewall
> > rules are then *enforced by* sys-firewall under the hood. Enforcing these
> > rules for other VMs is sys-firewall's raison d'être.
> > 
> > By default, there is only one VM with this job: sys-firewall. Therefore, 
> > there is no other VM that can perform this job *for* sys-firewall. But
> > that's not a problem, because there's usually no reason to specify firewall
> > rules for sys-firewall itself anyway. (Besides, you're free to create as
> > many ProxyVMs as you like an chain them together.)
> > 
> > 
> > Ok, thank you very much for your help. Unfortunately I still have great 
> > difficulties to open up port 443 or 80 on an AppVM.
> > 
> > I have read this comment on another thread from Alex Dubois saying :
> > 
> > "A diagram in the wiki would help people understand.
> > 
> > For now: A packet comming from the outside has a sourceIP of the
> > workstation on the LAN that issued it or the router that routed the packet
> > into your LAN and a destinationIP of your netVM externalIP (probably
> > 192.168.0.x). The NetVM iptables rules are going to transform it to a
> > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM
> > iptables rule are going to transform it to a packet with a desktinationIP
> > of your AppVM (10.137.2.16)."
> > 
> > I completely agree with him, a diagram would really help. I don't get why 
> > documentation don't address the routing basics stuff that isn't really
> > basic for newbies, for random people.
> 
> The documentation is largely a volunteer effort. I'm afraid we simply don't
> have the workforce to make all necessary and desirable improvements to the
> documentation. We would love it if someone would submit a pull request adding
> such a diagram or, in general, improving that page.
> 
> > I like a lot Qubes, this is an awesome OS, but far too complicated for
> > mister everyone. I am at the point right now where frustration becomes
> > 

Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world

2016-08-22 Thread nishiwaka46
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On 2016-08-21 16:43, nishiwak...@gmail.com wrote:
> > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On 
> > 2016-08-21 04:02, nishiwak...@gmail.com wrote:
>  Any help to configure sys-firewall would be also really appreciated.
>  I got this annoying pop-up when I click on "Firewall rules" tab under
>  the sys-firewall proxyVM settings :
>  
>  "The 'sys-firewall' AppVM is not network connected to a FirewallVM!
>  
>  You may edit the 'sys-firewall' VM firewall rules, but these will
>  not take any effect until you connect it to a working Firewall VM."
>  
>  Only subject related to this problem I found is this message from
>  Unman on Qubes-users group :
>  
>  "When you configure the firewall rules for a vm those rules are
>  applied ON THE FIREWALL to which the vm is attached. So the error
>  message you get is entirely accurate - your firewall is not attached
>  to a firewall and so the rules cannot be applied. Of course you COULD
>  configure a firewall between the fw and the netvm but the same
>  consideration would apply to THAT fw. There's no reason why you cant
>  configure the fw iptables by hand if you want to: you can use 
>  /rw/config/qubes-firewall-user-script to have these rules applied 
>  automatically."
>  
>  Ok so here's what I understand from this message : this proxyVM 
>  Firewall is probably working but rules don't apply because it is 
>  attached to a NetVM, which don't have any firewall policies by 
>  default.
>  
>  https://www.qubes-os.org/doc/qubes-firewall/ Official documentation 
>  says : "Every VM in Qubes is connected to the network via a
>  FirewallVM, which is used to enforce network-level policies. By
>  default there is one default Firewall VM, but the user is free to
>  create more, if needed."
>  
>  And then you got explanations on how to edit rules in a specific VM
>  for a given domain.
>  
>  So I understand you have to edit rules on a AppVM to open up ports 
>  there, but I mean not everyone running Qubes OS is highly graduated
>  in IT and network routing.
>  
>  I find quite disappointing that the official documentation don't 
>  mention more clearly how to set up the default sys-firewall proxyVM, 
>  like if you are supposed to check either "Deny network access
>  except" or "Allow network access except" button or if that doesn't
>  matter, if those policies won't apply anyway because of this
>  pop-up...
>  
> > 
> > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even
> >  there.
> > 
> > Suppose you have an AppVM in which you want to enforce specific firewall 
> > rules. You should go into the VM settings for *that VM*, then the "Firewall
> >  rules" tab, then configure your firewall rules there. These firewall
> > rules are then *enforced by* sys-firewall under the hood. Enforcing these
> > rules for other VMs is sys-firewall's raison d'être.
> > 
> > By default, there is only one VM with this job: sys-firewall. Therefore, 
> > there is no other VM that can perform this job *for* sys-firewall. But
> > that's not a problem, because there's usually no reason to specify firewall
> > rules for sys-firewall itself anyway. (Besides, you're free to create as
> > many ProxyVMs as you like an chain them together.)
> > 
> > 
> > Ok, thank you very much for your help. Unfortunately I still have great 
> > difficulties to open up port 443 or 80 on an AppVM.
> > 
> > I have read this comment on another thread from Alex Dubois saying :
> > 
> > "A diagram in the wiki would help people understand.
> > 
> > For now: A packet comming from the outside has a sourceIP of the
> > workstation on the LAN that issued it or the router that routed the packet
> > into your LAN and a destinationIP of your netVM externalIP (probably
> > 192.168.0.x). The NetVM iptables rules are going to transform it to a
> > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM
> > iptables rule are going to transform it to a packet with a desktinationIP
> > of your AppVM (10.137.2.16)."
> > 
> > I completely agree with him, a diagram would really help. I don't get why 
> > documentation don't address the routing basics stuff that isn't really
> > basic for newbies, for random people.
> 
> The documentation is largely a volunteer effort. I'm afraid we simply don't
> have the workforce to make all necessary and desirable improvements to the
> documentation. We would love it if someone would submit a pull request adding
> such a diagram or, in general, improving that page.
>

I would love as well to be able to host a website to share my interest for 
Qubes OS with the world, or at least, with people of my country sharing my own 

Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world

2016-08-21 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-08-21 16:43, nishiwak...@gmail.com wrote:
> Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On 
> 2016-08-21 04:02, nishiwak...@gmail.com wrote:
 Any help to configure sys-firewall would be also really appreciated.
 I got this annoying pop-up when I click on "Firewall rules" tab under
 the sys-firewall proxyVM settings :
 
 "The 'sys-firewall' AppVM is not network connected to a FirewallVM!
 
 You may edit the 'sys-firewall' VM firewall rules, but these will
 not take any effect until you connect it to a working Firewall VM."
 
 Only subject related to this problem I found is this message from
 Unman on Qubes-users group :
 
 "When you configure the firewall rules for a vm those rules are
 applied ON THE FIREWALL to which the vm is attached. So the error
 message you get is entirely accurate - your firewall is not attached
 to a firewall and so the rules cannot be applied. Of course you COULD
 configure a firewall between the fw and the netvm but the same
 consideration would apply to THAT fw. There's no reason why you cant
 configure the fw iptables by hand if you want to: you can use 
 /rw/config/qubes-firewall-user-script to have these rules applied 
 automatically."
 
 Ok so here's what I understand from this message : this proxyVM 
 Firewall is probably working but rules don't apply because it is 
 attached to a NetVM, which don't have any firewall policies by 
 default.
 
 https://www.qubes-os.org/doc/qubes-firewall/ Official documentation 
 says : "Every VM in Qubes is connected to the network via a
 FirewallVM, which is used to enforce network-level policies. By
 default there is one default Firewall VM, but the user is free to
 create more, if needed."
 
 And then you got explanations on how to edit rules in a specific VM
 for a given domain.
 
 So I understand you have to edit rules on a AppVM to open up ports 
 there, but I mean not everyone running Qubes OS is highly graduated
 in IT and network routing.
 
 I find quite disappointing that the official documentation don't 
 mention more clearly how to set up the default sys-firewall proxyVM, 
 like if you are supposed to check either "Deny network access
 except" or "Allow network access except" button or if that doesn't
 matter, if those policies won't apply anyway because of this
 pop-up...
 
> 
> Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even
>  there.
> 
> Suppose you have an AppVM in which you want to enforce specific firewall 
> rules. You should go into the VM settings for *that VM*, then the "Firewall
>  rules" tab, then configure your firewall rules there. These firewall
> rules are then *enforced by* sys-firewall under the hood. Enforcing these
> rules for other VMs is sys-firewall's raison d'être.
> 
> By default, there is only one VM with this job: sys-firewall. Therefore, 
> there is no other VM that can perform this job *for* sys-firewall. But
> that's not a problem, because there's usually no reason to specify firewall
> rules for sys-firewall itself anyway. (Besides, you're free to create as
> many ProxyVMs as you like an chain them together.)
> 
> 
> Ok, thank you very much for your help. Unfortunately I still have great 
> difficulties to open up port 443 or 80 on an AppVM.
> 
> I have read this comment on another thread from Alex Dubois saying :
> 
> "A diagram in the wiki would help people understand.
> 
> For now: A packet comming from the outside has a sourceIP of the
> workstation on the LAN that issued it or the router that routed the packet
> into your LAN and a destinationIP of your netVM externalIP (probably
> 192.168.0.x). The NetVM iptables rules are going to transform it to a
> packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM
> iptables rule are going to transform it to a packet with a desktinationIP
> of your AppVM (10.137.2.16)."
> 
> I completely agree with him, a diagram would really help. I don't get why 
> documentation don't address the routing basics stuff that isn't really
> basic for newbies, for random people.

The documentation is largely a volunteer effort. I'm afraid we simply don't
have the workforce to make all necessary and desirable improvements to the
documentation. We would love it if someone would submit a pull request adding
such a diagram or, in general, improving that page.

> I like a lot Qubes, this is an awesome OS, but far too complicated for
> mister everyone. I am at the point right now where frustration becomes
> overwhelming. I don't think I am not curious, trying to improve or
> understand better the way this OS works... I'm just going mad tonight,
> lol.
> 
> So let me try to sum up this comment in a visual way to understand better
> how routing works on Qubes.
> 
> 

Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world

2016-08-21 Thread nishiwaka46
Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On 2016-08-21 04:02, nishiwak...@gmail.com wrote:
> > Any help to configure sys-firewall would be also really appreciated. I got
> >  this annoying pop-up when I click on "Firewall rules" tab under the 
> > sys-firewall proxyVM settings :
> > 
> > "The 'sys-firewall' AppVM is not network connected to a FirewallVM!
> > 
> > You may edit the 'sys-firewall' VM firewall rules, but these will not take
> >  any effect until you connect it to a working Firewall VM."
> > 
> > Only subject related to this problem I found is this message from Unman on
> >  Qubes-users group :
> > 
> > "When you configure the firewall rules for a vm those rules are applied ON
> >  THE FIREWALL to which the vm is attached. So the error message you get is
> >  entirely accurate - your firewall is not attached to a firewall and so the
> >  rules cannot be applied. Of course you COULD configure a firewall between 
> > the fw and the netvm but the same consideration would apply to THAT fw. 
> > There's no reason why you cant configure the fw iptables by hand if you 
> > want to: you can use /rw/config/qubes-firewall-user-script to have these 
> > rules applied automatically."
> > 
> > Ok so here's what I understand from this message : this proxyVM Firewall is
> > probably working but rules don't apply because it is attached to a NetVM,
> > which don't have any firewall policies by default.
> > 
> > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says :
> >  "Every VM in Qubes is connected to the network via a FirewallVM, which is
> >  used to enforce network-level policies. By default there is one default 
> > Firewall VM, but the user is free to create more, if needed."
> > 
> > And then you got explanations on how to edit rules in a specific VM for a 
> > given domain.
> > 
> > So I understand you have to edit rules on a AppVM to open up ports there, 
> > but I mean not everyone running Qubes OS is highly graduated in IT and 
> > network routing.
> > 
> > I find quite disappointing that the official documentation don't mention 
> > more clearly how to set up the default sys-firewall proxyVM, like if you 
> > are supposed to check either "Deny network access except" or "Allow network
> > access except" button or if that doesn't matter, if those policies won't
> > apply anyway because of this pop-up...
> > 
> 
> Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even
> there.
> 
> Suppose you have an AppVM in which you want to enforce specific firewall
> rules. You should go into the VM settings for *that VM*, then the "Firewall
> rules" tab, then configure your firewall rules there. These firewall rules are
> then *enforced by* sys-firewall under the hood. Enforcing these rules for
> other VMs is sys-firewall's raison d'être.
> 
> By default, there is only one VM with this job: sys-firewall. Therefore, there
> is no other VM that can perform this job *for* sys-firewall. But that's not a
> problem, because there's usually no reason to specify firewall rules for
> sys-firewall itself anyway. (Besides, you're free to create as many ProxyVMs
> as you like an chain them together.)
> 
> - -- 
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
> 
> iQIcBAEBCgAGBQJXugDBAAoJENtN07w5UDAwLuQQAIlyBs1aeKEiQH2+W0WrNH5l
> VTCgtYo+rY3doNjScY95iCZB1e/s2v/RtbDKyXwot6lGFjUoRJTRdK2O78/j/6GS
> 1ggqrrtoX2KHB77RN3tJm65d2PqgpQM3G9opU8mUp89Ek0MHhjLl3vLMOUeekIXG
> RGhRwOruLZ3D4WkZDpRpqH3qnnrARDmAM32KOeFUKeDGwl1HPM2H78zlyGHWNEYv
> SammV42RbOFe3feWUDohCU2V0uMyZcn2jz3HSNfzM1/B/JQ2dvsm3xv4KDCtkZdC
> Prugken58eEK2T5s38QnN7JBhgHmvS3jB+X4IoN5eM3D8DabbTU78cGK8Z8He4pq
> kzHae//wxS9vcQ3aWjSbUc/Jz+P32jNHYbBtqRcNxT2p8AWcysaEMEsSvDPT4X6t
> 89II0Q0aHGX2TGQswKgWHtXuX00Qp7XL2T5mL3EaEXvM/BWMPMnxAEGocVLRbcl5
> TO3ewl/LVJEiGiL6hwj66FuNeIVlYkxHJ2ZQ8VM6NYu6TN96fLrbYxyBE3yNmcJj
> DwVi2rwsTYtnFt4znaBOnNmAIwBNRa9z66Y04KXGcyaq+6i9D66J2Yh3NkuWwKfj
> /8dBEST20BJB8+8KYX7F1cZt62hVQANYgaGqhFn+x3tMme5FClmK7obvBlMe6gJu
> 5SGrV5qlobdhla78qT1T
> =iqUV
> -END PGP SIGNATURE-

Ok, thank you very much for your help. Unfortunately I still have great 
difficulties to open up port 443 or 80 on an AppVM.

I have read this comment on another thread from Alex Dubois saying :

"A diagram in the wiki would help people understand.

For now:
A packet comming from the outside has a sourceIP of the workstation on the LAN 
that issued it or the router that routed the packet into your LAN and a 
destinationIP of your netVM externalIP (probably 192.168.0.x).
The NetVM iptables rules are going to transform it to a packet with a 
destinationIP of your firewallVM (10.137.1.5).
The firewallVM iptables rule are going to transform it to a packet with a 
desktinationIP of your AppVM (10.137.2.16)."

I completely agree with him, a diagram would really help.
I don't get why documentation 

Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world

2016-08-21 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-08-21 04:02, nishiwak...@gmail.com wrote:
> Any help to configure sys-firewall would be also really appreciated. I got
>  this annoying pop-up when I click on "Firewall rules" tab under the 
> sys-firewall proxyVM settings :
> 
> "The 'sys-firewall' AppVM is not network connected to a FirewallVM!
> 
> You may edit the 'sys-firewall' VM firewall rules, but these will not take
>  any effect until you connect it to a working Firewall VM."
> 
> Only subject related to this problem I found is this message from Unman on
>  Qubes-users group :
> 
> "When you configure the firewall rules for a vm those rules are applied ON
>  THE FIREWALL to which the vm is attached. So the error message you get is
>  entirely accurate - your firewall is not attached to a firewall and so the
>  rules cannot be applied. Of course you COULD configure a firewall between 
> the fw and the netvm but the same consideration would apply to THAT fw. 
> There's no reason why you cant configure the fw iptables by hand if you 
> want to: you can use /rw/config/qubes-firewall-user-script to have these 
> rules applied automatically."
> 
> Ok so here's what I understand from this message : this proxyVM Firewall is
> probably working but rules don't apply because it is attached to a NetVM,
> which don't have any firewall policies by default.
> 
> https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says :
>  "Every VM in Qubes is connected to the network via a FirewallVM, which is
>  used to enforce network-level policies. By default there is one default 
> Firewall VM, but the user is free to create more, if needed."
> 
> And then you got explanations on how to edit rules in a specific VM for a 
> given domain.
> 
> So I understand you have to edit rules on a AppVM to open up ports there, 
> but I mean not everyone running Qubes OS is highly graduated in IT and 
> network routing.
> 
> I find quite disappointing that the official documentation don't mention 
> more clearly how to set up the default sys-firewall proxyVM, like if you 
> are supposed to check either "Deny network access except" or "Allow network
> access except" button or if that doesn't matter, if those policies won't
> apply anyway because of this pop-up...
> 

Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even
there.

Suppose you have an AppVM in which you want to enforce specific firewall
rules. You should go into the VM settings for *that VM*, then the "Firewall
rules" tab, then configure your firewall rules there. These firewall rules are
then *enforced by* sys-firewall under the hood. Enforcing these rules for
other VMs is sys-firewall's raison d'être.

By default, there is only one VM with this job: sys-firewall. Therefore, there
is no other VM that can perform this job *for* sys-firewall. But that's not a
problem, because there's usually no reason to specify firewall rules for
sys-firewall itself anyway. (Besides, you're free to create as many ProxyVMs
as you like an chain them together.)

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXugDBAAoJENtN07w5UDAwLuQQAIlyBs1aeKEiQH2+W0WrNH5l
VTCgtYo+rY3doNjScY95iCZB1e/s2v/RtbDKyXwot6lGFjUoRJTRdK2O78/j/6GS
1ggqrrtoX2KHB77RN3tJm65d2PqgpQM3G9opU8mUp89Ek0MHhjLl3vLMOUeekIXG
RGhRwOruLZ3D4WkZDpRpqH3qnnrARDmAM32KOeFUKeDGwl1HPM2H78zlyGHWNEYv
SammV42RbOFe3feWUDohCU2V0uMyZcn2jz3HSNfzM1/B/JQ2dvsm3xv4KDCtkZdC
Prugken58eEK2T5s38QnN7JBhgHmvS3jB+X4IoN5eM3D8DabbTU78cGK8Z8He4pq
kzHae//wxS9vcQ3aWjSbUc/Jz+P32jNHYbBtqRcNxT2p8AWcysaEMEsSvDPT4X6t
89II0Q0aHGX2TGQswKgWHtXuX00Qp7XL2T5mL3EaEXvM/BWMPMnxAEGocVLRbcl5
TO3ewl/LVJEiGiL6hwj66FuNeIVlYkxHJ2ZQ8VM6NYu6TN96fLrbYxyBE3yNmcJj
DwVi2rwsTYtnFt4znaBOnNmAIwBNRa9z66Y04KXGcyaq+6i9D66J2Yh3NkuWwKfj
/8dBEST20BJB8+8KYX7F1cZt62hVQANYgaGqhFn+x3tMme5FClmK7obvBlMe6gJu
5SGrV5qlobdhla78qT1T
=iqUV
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/23c121ec-f227-f51b-991d-1eb38750bb11%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.