On Saturday, 10 February 2018 00:13:00 UTC, joev...@gmail.com wrote: > On Friday, 9 February 2018 19:02:09 UTC-5, Alex Dubois wrote: > > On Friday, 9 February 2018 23:59:52 UTC, Alex Dubois wrote: > > > On Friday, 9 February 2018 16:36:14 UTC, joev...@gmail.com wrote: > > > > Yes, thanks for pointing out the typos. They are only mistakes in this > > > > post. I use a script running in dom0 to generate pretty much > > > > everything. The same script works when debian-8 is used. The > > > > interface is different depending on the template > > > > > > I confirm I have the same issue. > > > Please however note that I have another PCI NIC connected to an AppVM (My > > > qubes also act as a firewall for home network) and we have no issue > > > connecting outbound. > > > Outbound connection as you know do not need the PRE-ROUTING rules, so > > > also the problem is seen on the FORWARD rule, I suspect more the > > > PRE-ROUTING rule is at fault and does not do its job. > > > I'll try to dig into this, however I won't have much time this week... > > > > Also, could you clarify if you've tested on FirewallVM and if here again > > Debian is OK and Fedora not. This might rule out issues with physical cards > > (which I suspect is not the problem as PRE-ROUTING does get the packet). > > Yes, if the template on sys-net is changed to Debian-8, but sys-firewall > (FirewallVM) is left with fedora... sys-net does send the packet to > sys-firewall, which then appears the same way... PREROUTING sees it, but > FORWARD does not. > > Thanks. > > P.S. > Debian-9 has issues as well, but I didn't test thoroughly with that. And I > think Fedora-25 was working prior to some updates. I do enable testing repos > for these templates, but don't know what package is the culprit and don't > know how to rollback.
I have opened a thread on the iptables mailing-list to try to go to the bottom of the reason why it stopped working with subject: iptables PREROUTING to-destination hit but no hit in FORWARD (advanced) -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/dd68eef8-f14a-40a3-8d3f-e780e16cc707%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
