> On 07/14/2016 04:51 PM, katerim...@sigaint.org wrote: >>> On 07/14/2016 10:39 AM, katerim...@sigaint.org wrote: >>>> Good day >>>> I'm using a VPN in sys-net and would setup firewall rules to stop >>>> internet >>>> connection if VPN crash. In sys-net isn't possible to insert ip >>>> addresses, >>>> then I did it in sys-firewall. With some tests I saw that if VPN >>>> disconnect suddenly, sys-net finds my wifi network and doesn't break >>>> the >>>> connection, as I would. How can I solve this? (in the proxyVMs all >>>> work >>>> well) >>>> >>>> Thank you >>>> >>> Take a look at https://www.qubes-os.org/doc/vpn/ >>> >>> For leak protection and security it is best to set up a vpn client in a >>> proxy vm, between sys-net and the appvms. You can follow the >>> instructions from the doc "Using iptables and openvpn", or use the >>> firewall script as an example. The two critical commands that prevent >>> leaks (in the proxy vm configuration) are: >>> >>> iptables -I FORWARD -o eth0 -j DROP >>> iptables -I FORWARD -i eth0 -j DROP >>> >>> This means that no forwarding can take place involving the >>> upstream/clearnet interface eth0, so the only way out is through the >>> vpn >>> tunnel. >>> >>> Chris >>> >> Hi Chris >> Thank you for the explanation, I want to know if I can use firewall tab >> in >> sys-net (or sys-firewall) like I have done in proxyVM because I have >> also >> a VPN in sys-net. If it isn't possible, do I change ip tables in sys-net >> while in all the other proxyVMs I use firewall tab? >> >> Regards >> > > The firewall tab (in any vm) is not a good place to add this restriction > even if it did accept that kind of rule (which it does not). The best > way is to run the vpn client in a separate proxy vm, and set the > firewall rules with the qubes-firewall-user-script in that vm as shown > in the doc. > > You can try to use qubes-firewall-user-script in the netvm, but I think > this approach is untested. Of course, by Qubes standards it is insecure. > > Chris >
Hi I see also other commands but haven't understood what mean (qvpn group?) Thank you -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cbaaa24d9e095d46f1908e2e2603d948.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
