[qubes-users] Re: rc.local iptables persistence on reboot

2016-10-11 Thread pleomati
https://www.qubes-os.org/doc/qubes-firewall/

everything is in this chapter "Enabling networking between two VMs".
dont need to run custom scripts for enabling networking between two vms.

In case u need yuor system safe from connecting apps each other you can allow 
traffic on single port and connect them via ssh tunnel.Lets say allow trafic 
A<>B on port 22,then  conect its via ssh 
ssh -L port:ip:port user@ip and then point browser in client VM to 
localhost.SSH tunnel redirect you to your webserver on B VM.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cad7e178-4de4-4e0e-b53e-a229848b55f1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: rc.local iptables persistence on reboot

2016-10-11 Thread pleomati
https://www.qubes-os.org/doc/qubes-firewall/

everything is in this chapter "Enabling networking between two VMs".
dont need to run custom scripts for enabling networking between two vms.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3705b621-a6d7-4b0d-964c-95fdff46dc4b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: rc.local iptables persistence on reboot

2016-10-11 Thread raahelps
On Tuesday, October 11, 2016 at 6:16:31 AM UTC-4, Unman wrote:
> On Mon, Oct 10, 2016 at 10:19:16PM -0700, raahe...@gmail.com wrote:
> > On Thursday, September 22, 2016 at 7:46:45 AM UTC-4, Connor Page wrote:
> > > world writable script executed as root is the worst advice I've ever seen 
> > > on this mailing list.
> > > please don't do that!
> > 
> > I don't even think that'd make it executable, but writeable lol.  just do 
> > chmod a+x
> > 
> > why not filter outbound instead of inbound?
> > 
> chmod 766 does make it executable, obviously - it also makes it world
> writable.
> 
> I've seen plenty of worse advice on the lists.
> The fact that it's now world writable is a red herring. Every file in a
> qube is writeable by the user in default setup, regardless of
> permissions. It doesn't matter.
> Look at /etc/sudoers.d/qubes 
> 
> Setting custom iptables rules from rc.local is possible - whether it
> adds anything more than a minimal layer of safety is questionable. I
> choose to set inbound and outbound restrictions on all net and proxy
> qubes, and custom restrictions on FORWARD rules too.
> 
> unman

oh ok I thought it would make it readable and writable,  but not executable.  
But I didn't test it. 

Ya well I mean unless he is a webserver I would be filtering outgoing for ports 
80,443, not incoming. Figured it was just good practice.  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b08846b3-03fc-4d36-aac3-04cf175be68b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: rc.local iptables persistence on reboot

2016-10-11 Thread Unman
On Mon, Oct 10, 2016 at 10:19:16PM -0700, raahe...@gmail.com wrote:
> On Thursday, September 22, 2016 at 7:46:45 AM UTC-4, Connor Page wrote:
> > world writable script executed as root is the worst advice I've ever seen 
> > on this mailing list.
> > please don't do that!
> 
> I don't even think that'd make it executable, but writeable lol.  just do 
> chmod a+x
> 
> why not filter outbound instead of inbound?
> 
chmod 766 does make it executable, obviously - it also makes it world
writable.

I've seen plenty of worse advice on the lists.
The fact that it's now world writable is a red herring. Every file in a
qube is writeable by the user in default setup, regardless of
permissions. It doesn't matter.
Look at /etc/sudoers.d/qubes 

Setting custom iptables rules from rc.local is possible - whether it
adds anything more than a minimal layer of safety is questionable. I
choose to set inbound and outbound restrictions on all net and proxy
qubes, and custom restrictions on FORWARD rules too.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161011101629.GA26870%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: rc.local iptables persistence on reboot

2016-10-10 Thread raahelps
On Thursday, September 22, 2016 at 7:46:45 AM UTC-4, Connor Page wrote:
> world writable script executed as root is the worst advice I've ever seen on 
> this mailing list.
> please don't do that!

I don't even think that'd make it executable, but writeable lol.  just do chmod 
a+x

why not filter outbound instead of inbound?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c2829807-918a-4526-9533-c44ef6f42e9e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: rc.local iptables persistence on reboot

2016-09-22 Thread Connor Page
world writable script executed as root is the worst advice I've ever seen on 
this mailing list.
please don't do that!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e7e78db5-7bcb-43f0-9464-518747a10d37%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: rc.local iptables persistence on reboot

2016-09-21 Thread Drew White
On Sunday, 18 September 2016 10:14:15 UTC+10, nishi...@gmail.com  wrote:
> Hello,
> 
> Following Qubes documentation on firewall 
> https://www.qubes-os.org/doc/qubes-firewall/, I tried to put some basics 
> iptables rules into /rw/config/rc.local in an AppVM but they don't persist 
> after reboots :
> 
> iptables -F

Don't use -F, flushing removes the Qubes inherant IPTables.
Don't -P either.

#/bin/sh
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I INPUT 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 3  -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 4  -p tcp --dport 443 -j ACCEPT 


> When I type "sudo iptables -L", they don't appear after rebooting the VM, I 
> have the same rules as before, it looks like the script isn't launched :( 
> This is weird because the file is executable ! ("sudo chmod +x rc.local"). 
> Also I tried to add sudo before every line but it didn't change the outcome.
> 

have you made sure it's executable? (ls -al)

If not, use the full command, not an abbreviated, because sometimes the 
abbreviated only affects user and group, not everyone.
"chmod 766 rc.local" ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f3d6fd9e-4d66-4e1c-8b43-0ef8038ae612%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: rc.local iptables persistence on reboot

2016-09-20 Thread nishiwaka46
Yes, my script is already posted here. I was implying sh shebang, as we're 
talking about a file that contains it before any changes done. But thanks for 
checking.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7709cf18-de85-49bb-99f3-0bbb6d4cf1b6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: rc.local iptables persistence on reboot

2016-09-20 Thread Connor Page
would you mind posting the whole script?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c57c2660-fa29-4895-9e68-454a776b2226%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: rc.local iptables persistence on reboot

2016-09-19 Thread nishiwaka46
Le dimanche 18 septembre 2016 20:36:53 UTC+2, Connor Page a écrit :
> does it start with this?
> #!/bin/sh

Yes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e8586a2a-1570-44f2-807b-4bb32f2fb707%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.