Re: [qubes-devel] Need clarification for R4 qubes-firewall cycles

Tue, 24 Oct 2017 19:48:57 -0700 

On 10/24/17 07:36, Marek Marczykowski-Górecki wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, Oct 24, 2017 at 01:02:53AM -0400, Chris Laprise wrote:

In trying to adapt VPN scripts to Qubes R4.0 I've found the
qubes-firewall-user-script has been renamed to qubes-ip-change-hook

No, qubes-ip-change-hook was always there. But yes,
qubes-firewall-user-script is gone. See below.


and it
no longer seems to run every time qubes-firewall is restarted. Causing IP
changes when starting/stopping dependant appVMs (and adding firewall rules
in settings GUI) also appears to trigger neither the script nor the familiar
FORWARD re-building process.

The new behavior doesn't seem to be documented yet, so I have two questions:

1. Is there any erase-and-rebuild process remaining in R4 for the FORWARD
chain?

No, new firewall rules are added to separate chain (QBS-FORWARD), and
FORWARD itself is not regenerated. You can freely add your rules before
or after those automatic and qubes-firewall will not touch them.
If you have ntfabltes installed (Fedora), qubes-firewall will use that
instead and create entirely separate table, so you can even easier use
own rules.


2. What is the recommended way to modify iptables before forwarding is
enabled at startup, and subsequently during normal runtime?

Either add own startup script, order before network.target. Or modify
/etc/qubes/iptables.rules. If you don't care about ordering, you can use
/rw/config/rc.local.


Thanks!
Also, is there a reason 'Deny Except...' no longer appears in VM firewall settings? 

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/34cb7bd4-f6da-1dd3-9de0-e9036a1e78e0%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Reply via email to