On 03/06/2017 03:05 PM, Unman wrote: > On Mon, Mar 06, 2017 at 08:26:30AM +0100, evo wrote: >> >> >> On 03/06/2017 12:41 AM, Unman wrote: >>> On Sun, Mar 05, 2017 at 10:26:22PM +0100, evo wrote: >>>> >>>> >>>> On 03/05/2017 10:22 PM, Unman wrote: >>>>> On Sun, Mar 05, 2017 at 10:12:15PM +0100, evo wrote: >>>>>> oh, thanks... i thought i read the post about firewall, but didnt see >>>>>> the limit of 3kb. >>>>>> >>>>>> so the only way to get over 3kb is to adit own rules in /rw/config? >>>>>> And for building the own script there, i should really understand the >>>>>> whole iptables thing.. puh :) >>>>>> >>>>>> sorry for the newbee-question, but what the hell is /rw?? >>>>>> >>>>>> >>>>>> >>>>>> On 03/05/2017 10:03 PM, Unman wrote: >>>>>>> On Sun, Mar 05, 2017 at 09:35:00PM +0100, evo wrote: >>>>>>>> Hello! >>>>>>>> >>>>>>>> i get an error pop-up: >>>>>>>> "ERROR: Firewall tab: (0,'Error') >>>>>>>> >>>>>>>> by adding new address. >>>>>>>> >>>>>>>> i have already added few addresses (about 20 or 30) >>>>>>>> is there any limit or something like that?? >>>>>>>> >>>>>>>> thanks! >>>>>>> >>>>>>> Yes: >>>>>>> It's documented here: >>>>>>> www.qubes-os.org/doc/firewall >>>>>>> >>>>>>> There's also a proposal for a work around >>>>>>> >>>>> >>>>> Can you try not to top-post? >>>>> >>>>> When you are running a TemplateBasedVM, most of the file system comes >>>>> from the template. This means that many changes that you make will >>>>> disappear on reboot. (E.g changing config in /etc , installing programs >>>>> etc.) >>>>> Some parts of the file system, (/home /and /usr/local) DO persist in the >>>>> qube. They are actually stored in /rw: have a look. >>>>> There is also a mechanism (bind-dirs) for making other files persistent. >>>>> You can read about it in the docs. >>>>> (You can, of course, also store files in /rw/config and use the >>>>> rc.local mechanism to change files in the root file system on boot - e.g >>>>> adding entries to hosts files, custom iptables rules etc etc.) >>>>> >>>>> unman >>>>> >>>> >>>> ok, so the /rw is on the VM and not in the dom0, understand. >>>> >>>> do i need a special name for the iptable-rules in /rw/config? >>>> >>>> maby just a example for permiting 8.8.8.8:80 ... i know its the iptables >>>> thing :) >>> >>> >>> For proxyVMs (like sys-firewall) there is a built-in mechanism you can >>> exploit. >>> Say you want to allow traffic from 10.137.100.1 to 8.8.8.8:80, but you >>> have already hit that 3k limit. >>> Edit the file /rw/config/qubes-firewall-user-script, and add the line: >>> iptables -I FORWARD -s 10.137.100.1 -d 8.8.8.8 -p tcp --dport 80 -j ACCEPT >>> >>> chmod +x /rw/config/qubes-firewall-user-script >>> >>> This script is called whenever a new qube is attached to the proxyVM >>> and the relevant iptables rules are automatically rebuilt. >>> >>> You can also build your own custom rulesets and store them in an >>> arbitrarily named file called from /rw/config/qubes-firewall-user-script, >>> and you can, of course, do anything you like from this file, which will >>> be triggered when a new qube is attached: that is, you arent limited to >>> firewall manipulation. >>> >>> unman >>> >>> >> >> thanks! >> so i can just write the line for one rule, without writing the whole >> script for iptables. > > Yes - the rest of the rules will be taken from the entries you have > configured in the manager for that qube. > >> >> so i can call it however i want or use the qubes-firewall-user-script >> file... is it principally the same? or does qubes-firewall-user-script >> replace the whole rules i already have? > > qubes-firewall-user-script is just a script that is called after the > usual Qubes firewall service process - that reads the rules set per > attached qube and instantiates them on the ProxyVM. > A significant difference is that a rule you set in > qubes-firewall-user-script will be set every time that script is called, > whereas one set in manager (or in qvm-firewall) will only be applied > when the relevant qube is attached. > It doesn't replace the other rules unless you explicitly ask it to do so > - you could do this if you wanted. Since it's just a script you can do > anything you like in there, as I've said. This would include setting > rules depending on what qubes were attached (e.g if qube A and qube B are > BOTH attached to ProxyVM open up inbound access to qube A). > >> >> the problem i have now is... i forgot to delete the "overloaded" rule >> from the VM and now i can not start it. is there any other way to start >> it, or to delete this overloaded 3k-file? is this file on sys-firewall >> or on the VM itself? > > Just delete the rules from the manager interface or look at qvm-firewall > (in dom0). The help there is pretty good. >
hmmm... i can not delet it from the manager interface, because i can not start the VM (because of the overloaded 3KB-limit of the firewall). qvm-firewall seems to be a great thing! with qvm-firewall -n "VM-name" list i can see the entries i did. and with qvm-firewall "VM-name" -d "rule-number" i can delete one rule i made over the 3KB-limit so, now i can just make the other rules in the qubes-firewall-user-script. very well!! thank you for the great help!! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2707f45b-a00a-2a7d-c2df-8128147f4c38%40aliaks.de. For more options, visit https://groups.google.com/d/optout.
