Le jeudi 1 mars 2018 12:29:30 UTC+2, Chris Laprise a écrit : > On 03/01/2018 03:08 AM, ThierryIT wrote: > > Hi, > > > > I have configure the proxyVM with rules for http, https, smtp and ntp. > > I have understood that for the DNS (who is not working anymore) I have to > > use from dom0 : qvm-firewall ... > > > > I want to oblige all the VMs to use only "OpenVPN" as DNS. > > > > I did : > > > > qvm-firewall vmname add rule --dns=208.67.222.222 and many other > > combinations ... It do not accept any of my rules ... Mistakes from my side > > but from where ? > > > > Second question, is there any possibility to find example of how to make a > > proper FW with rules example under Qubes ? > > > > Thx > > > > There are two main ways to add firewall rules to a proxyVM: Via VM > settings of a downstream VM (appVM), and via a script in the proxyVM > itself at /rw/config/qubes-firewall-user-script. > > The former is limited but has a convenient GUI in VM Settings dialog > (also qvm-firewall). The rules for each appVM get transferred to the > connected proxyVM. (If you are trying to use qvm-firewall to add rules > to the proxyVM and not the appVM, that may be your mistake.) > > The second method is very flexible but requires a little study of the > proxyVM's default internal firewall configuration before adding your own > rules in the script. > > Another, third way is to have a program like openvpn run a script when > the link goes up. > > There are good examples which actually handle DNS addresses in the Qubes > VPN doc[1], the Qubes-vpn-support project[2] and also in the script > found at /usr/lib/qubes/qubes-setup-dnat-to-ns. These scripts use dnat > rules to convert DNS requests to use a particular DNS address, although > in your case you might want to leave '-d' as 'any' instead of specifying > an address. > > Note that the second link below is easy to setup and the 'qubes-vpn-ns' > script accepts DHCP-generated variables from openvpn and automatically > uses them to setup dnat. > > > [1] https://www.qubes-os.org/doc/vpn/ > [2] https://github.com/tasket/Qubes-vpn-support/tree/qubes4 > > -- > > Chris Laprise, tas...@posteo.net > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Thx ... I am going to do my homework now :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11d85bf2-2b0b-4f8b-aab3-f1da8ae039e3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
