-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, Dec 07, 2016 at 02:38:57PM -0800, justusranv...@gmail.com wrote: > > Check ip6tables - by default all IPv6 input is blocked on Qubes. > > > Thanks. > > I ended up solving the problem with an ExecStartPost line in cjdns.service. > > For the benefit of anyone who searches this thread, this is the cjdns.service > I use to make sure you can have a persistent config: > > [Unit] > Description=cjdns: routing engine designed for security, scalability, speed > and ease of use > Wants=network.target > After=network.target cjdns-loadmodules.service > Requires=cjdns-loadmodules.service > > [Service] > ProtectHome=true > ProtectSystem=true > SyslogIdentifier=cjdroute > CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID > CAP_SYS_CHROOT CAP_AUDIT_CONTROL > ExecStartPre=/bin/sh -ec "if ! test -s /rw/config/cjdroute.conf; \ > then umask 077; \ > /usr/sbin/cjdroute --genconf | cat > > /rw/config/cjdroute.conf; \ > echo 'WARNING: A new /rw/config/cjdroute.conf file has been > generated.'; \ > fi" > ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < > /rw/config/cjdroute.conf" > ExecStartPost=/usr/sbin/ip6tables -A INPUT -m state --state > RELATED,ESTABLISHED -j ACCEPT > Restart=always > > [Install] > WantedBy=multi-user.target > Also=cjdns-resume.service
I think this can be improved (and simplified): 1. Use bind-dirs[1] (works also for files) to make config persistent; this require to have _some_ config file in the template (can be empty). 2. Use systemd drop-in to add ExecStartPost (simply create /etc/systemd/system/cjdns.service.d/50_user.conf with just [Service] and ExecStartPost=... there). 2a. Or alternatively - place ip6tables command in /rw/config/rc.local [1] https://www.qubes-os.org/doc/bind-dirs/ - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYSJmfAAoJENuP0xzK19csm2gH/0OWxru9rF6BgHo/iXm26GBo cplVD/t9OtpJiJAjJqzVrgniwurF7Oz5AnXtPhTtabFenekEBnirFDdkBycg+nZE yGlFAnoTiaIHuRIGhDHUNJIbi26qgYOhuWzJQm0MiUblQrnv+sjmavXTaoBouxBr xTPkxX3e6g8K18AYJWX1yNGf8QcFOYhr5ZzXTnQ3aroKOud5xqtZk3JIzzLExRTU FWn7H7/Ah9Zd6BB/X3z9PS99B54WmGyoUj12YiQx2aTQhQ8dLGQK061n/TURNc2E ZepnaXpyEUaKWOKAM+hS2csyYPGSc9hbjVXPRg6jhj/8Tu1HwpbQuuH2QUU982w= =DMXf -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161207232204.GH1149%40mail-itl. For more options, visit https://groups.google.com/d/optout.