On Wed, Dec 19, 2018 at 11:06:25PM +0000, mossy wrote: > Hello all, > > I was looking to see if I could update an offline standalone VM, by > appending a line to `etc/qubes-rpc/policy/qubes.UpdatesProxy` and I now > have some questions. > > First, I noticed the lines: > > ~~~ > # Default rule for all TemplateVMs - direct the connection to sys-net > $type:TemplateVM $default allow,target=sys-net > ~~~ > > Q1) Is this correct? Shouldn't updates be directed to sys-firewall > instead of sys-net? Are all of our templates exposed to (untrusted) > sys-net? > > Hopefully I am wrong about this, but either way I'd appreciate if > someone could explain... > > Q2) If I want to update an offline standalone VM called `OfflineSA`, > what would be the proper syntax in > `etc/qubes-rpc/policy/qubes.UpdatesProxy`? I have tried each of the > following without success: > > OfflineSA $default allow,target=sys-net > OfflineSA $default allow,target=sys-firewall > OfflineSA allow,target=sys-net > OfflineSA allow,target=sys-firewall > $type:StandaloneVM $default allow,target=sys-net > $type:StandaloneVM $default allow,target=sys-firewall > > Q3) do I need to restart my whole qubes system for any new > `etc/qubes-rpc/policy/qubes.UpdatesProxy` rules to come into effect? > > Q4) can update proxies perhaps only be set via some $tag or $type? > > Thank you! > > -m0ssy
Q1. Yes, the default is to use sys-net. You can change this if you wish. (I do) The update proxy has always been set to sys-net by default. The proxy used to filter traffic, but no longer does so. Again, I change this behaviour. Q2. OfflineSA $default allow,target=sys-net should work: the syntax is right. (You do have proxy configured in OfflineSA?) Q3. No - changes in those rules come in to play straight away. Q4. No, they can be set on an individual basis. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181220003724.hpjocaucn7eh7gkd%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
