Re: [qubes-users] Little pb to understand how to add a FW rule on my proxyVM

Thu, 01 Mar 2018 02:30:02 -0800 

On 03/01/2018 03:08 AM, ThierryIT wrote:

Hi,

I have configure the proxyVM with rules for http, https, smtp and ntp.
I have understood that for the DNS (who is not working anymore) I have to use 
from dom0 : qvm-firewall  ...

I want to oblige all the VMs to use only "OpenVPN" as DNS.

I did :

qvm-firewall vmname add rule --dns=208.67.222.222 and many other combinations 
... It do not accept any of my rules ... Mistakes from my side but from where ?

Second question, is there any possibility to find example of how to make a 
proper FW with rules example under Qubes ?

Thx
There are two main ways to add firewall rules to a proxyVM: Via VM settings of a downstream VM (appVM), and via a script in the proxyVM itself at /rw/config/qubes-firewall-user-script.
The former is limited but has a convenient GUI in VM Settings dialog (also qvm-firewall). The rules for each appVM get transferred to the connected proxyVM. (If you are trying to use qvm-firewall to add rules to the proxyVM and not the appVM, that may be your mistake.)
The second method is very flexible but requires a little study of the proxyVM's default internal firewall configuration before adding your own rules in the script.
Another, third way is to have a program like openvpn run a script when the link goes up.
There are good examples which actually handle DNS addresses in the Qubes VPN doc[1], the Qubes-vpn-support project[2] and also in the script found at /usr/lib/qubes/qubes-setup-dnat-to-ns. These scripts use dnat rules to convert DNS requests to use a particular DNS address, although in your case you might want to leave '-d' as 'any' instead of specifying an address.
Note that the second link below is easy to setup and the 'qubes-vpn-ns' script accepts DHCP-generated variables from openvpn and automatically uses them to setup dnat. 


[1] https://www.qubes-os.org/doc/vpn/
[2] https://github.com/tasket/Qubes-vpn-support/tree/qubes4

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/da476fa8-ab1d-a20d-bbf7-a36b60d549ed%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Reply via email to