[qubes-users] Re: rc.local iptables persistence on reboot
https://www.qubes-os.org/doc/qubes-firewall/ everything is in this chapter "Enabling networking between two VMs". dont need to run custom scripts for enabling networking between two vms. In case u need yuor system safe from connecting apps each other you can allow traffic on single port and connect them via ssh tunnel.Lets say allow trafic A<>B on port 22,then conect its via ssh ssh -L port:ip:port user@ip and then point browser in client VM to localhost.SSH tunnel redirect you to your webserver on B VM. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cad7e178-4de4-4e0e-b53e-a229848b55f1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: rc.local iptables persistence on reboot
https://www.qubes-os.org/doc/qubes-firewall/ everything is in this chapter "Enabling networking between two VMs". dont need to run custom scripts for enabling networking between two vms. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3705b621-a6d7-4b0d-964c-95fdff46dc4b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: rc.local iptables persistence on reboot
On Tuesday, October 11, 2016 at 6:16:31 AM UTC-4, Unman wrote: > On Mon, Oct 10, 2016 at 10:19:16PM -0700, raahe...@gmail.com wrote: > > On Thursday, September 22, 2016 at 7:46:45 AM UTC-4, Connor Page wrote: > > > world writable script executed as root is the worst advice I've ever seen > > > on this mailing list. > > > please don't do that! > > > > I don't even think that'd make it executable, but writeable lol. just do > > chmod a+x > > > > why not filter outbound instead of inbound? > > > chmod 766 does make it executable, obviously - it also makes it world > writable. > > I've seen plenty of worse advice on the lists. > The fact that it's now world writable is a red herring. Every file in a > qube is writeable by the user in default setup, regardless of > permissions. It doesn't matter. > Look at /etc/sudoers.d/qubes > > Setting custom iptables rules from rc.local is possible - whether it > adds anything more than a minimal layer of safety is questionable. I > choose to set inbound and outbound restrictions on all net and proxy > qubes, and custom restrictions on FORWARD rules too. > > unman oh ok I thought it would make it readable and writable, but not executable. But I didn't test it. Ya well I mean unless he is a webserver I would be filtering outgoing for ports 80,443, not incoming. Figured it was just good practice. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b08846b3-03fc-4d36-aac3-04cf175be68b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: rc.local iptables persistence on reboot
On Mon, Oct 10, 2016 at 10:19:16PM -0700, raahe...@gmail.com wrote: > On Thursday, September 22, 2016 at 7:46:45 AM UTC-4, Connor Page wrote: > > world writable script executed as root is the worst advice I've ever seen > > on this mailing list. > > please don't do that! > > I don't even think that'd make it executable, but writeable lol. just do > chmod a+x > > why not filter outbound instead of inbound? > chmod 766 does make it executable, obviously - it also makes it world writable. I've seen plenty of worse advice on the lists. The fact that it's now world writable is a red herring. Every file in a qube is writeable by the user in default setup, regardless of permissions. It doesn't matter. Look at /etc/sudoers.d/qubes Setting custom iptables rules from rc.local is possible - whether it adds anything more than a minimal layer of safety is questionable. I choose to set inbound and outbound restrictions on all net and proxy qubes, and custom restrictions on FORWARD rules too. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161011101629.GA26870%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: rc.local iptables persistence on reboot
On Thursday, September 22, 2016 at 7:46:45 AM UTC-4, Connor Page wrote: > world writable script executed as root is the worst advice I've ever seen on > this mailing list. > please don't do that! I don't even think that'd make it executable, but writeable lol. just do chmod a+x why not filter outbound instead of inbound? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c2829807-918a-4526-9533-c44ef6f42e9e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: rc.local iptables persistence on reboot
world writable script executed as root is the worst advice I've ever seen on this mailing list. please don't do that! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e7e78db5-7bcb-43f0-9464-518747a10d37%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: rc.local iptables persistence on reboot
On Sunday, 18 September 2016 10:14:15 UTC+10, nishi...@gmail.com wrote: > Hello, > > Following Qubes documentation on firewall > https://www.qubes-os.org/doc/qubes-firewall/, I tried to put some basics > iptables rules into /rw/config/rc.local in an AppVM but they don't persist > after reboots : > > iptables -F Don't use -F, flushing removes the Qubes inherant IPTables. Don't -P either. #/bin/sh iptables -I INPUT 1 -i lo -j ACCEPT iptables -I INPUT 2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I INPUT 3 -p tcp --dport 80 -j ACCEPT iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT > When I type "sudo iptables -L", they don't appear after rebooting the VM, I > have the same rules as before, it looks like the script isn't launched :( > This is weird because the file is executable ! ("sudo chmod +x rc.local"). > Also I tried to add sudo before every line but it didn't change the outcome. > have you made sure it's executable? (ls -al) If not, use the full command, not an abbreviated, because sometimes the abbreviated only affects user and group, not everyone. "chmod 766 rc.local" ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f3d6fd9e-4d66-4e1c-8b43-0ef8038ae612%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: rc.local iptables persistence on reboot
I once managed to add a line break before the shebang. Took me a bit of time to figure it out why vm services did not start. I can't see what could fail in your script other than $PATH being incomplete or unset. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/61641b02-1786-4580-b698-dacc998b602d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: rc.local iptables persistence on reboot
Yes, my script is already posted here. I was implying sh shebang, as we're talking about a file that contains it before any changes done. But thanks for checking. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7709cf18-de85-49bb-99f3-0bbb6d4cf1b6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: rc.local iptables persistence on reboot
would you mind posting the whole script? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c57c2660-fa29-4895-9e68-454a776b2226%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: rc.local iptables persistence on reboot
Le dimanche 18 septembre 2016 20:36:53 UTC+2, Connor Page a écrit : > does it start with this? > #!/bin/sh Yes -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e8586a2a-1570-44f2-807b-4bb32f2fb707%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.