unman: > On Wed, Dec 19, 2018 at 11:06:25PM +0000, mossy wrote: >> Hello all, >> >> I was looking to see if I could update an offline standalone VM, by >> appending a line to `etc/qubes-rpc/policy/qubes.UpdatesProxy` and I now >> have some questions. >> >> First, I noticed the lines: >> >> ~~~ >> # Default rule for all TemplateVMs - direct the connection to sys-net >> $type:TemplateVM $default allow,target=sys-net >> ~~~ >> >> Q1) Is this correct? Shouldn't updates be directed to sys-firewall >> instead of sys-net? Are all of our templates exposed to (untrusted) >> sys-net? >> >> Hopefully I am wrong about this, but either way I'd appreciate if >> someone could explain... >> >> Q2) If I want to update an offline standalone VM called `OfflineSA`, >> what would be the proper syntax in >> `etc/qubes-rpc/policy/qubes.UpdatesProxy`? I have tried each of the >> following without success: >> >> OfflineSA $default allow,target=sys-net >> OfflineSA $default allow,target=sys-firewall >> OfflineSA allow,target=sys-net >> OfflineSA allow,target=sys-firewall >> $type:StandaloneVM $default allow,target=sys-net >> $type:StandaloneVM $default allow,target=sys-firewall >> >> Q3) do I need to restart my whole qubes system for any new >> `etc/qubes-rpc/policy/qubes.UpdatesProxy` rules to come into effect? >> >> Q4) can update proxies perhaps only be set via some $tag or $type? >> >> Thank you! >> >> -m0ssy > > Q1. Yes, the default is to use sys-net. You can change this if you wish. > (I do) > The update proxy has always been set to sys-net by default. > The proxy used to filter traffic, but no longer does so. Again, I change > this behaviour. > > Q2. OfflineSA $default allow,target=sys-net > should work: the syntax is right. (You do have proxy configured in > OfflineSA?) > > Q3. No - changes in those rules come in to play straight away. > > Q4. No, they can be set on an individual basis. >
thanks for your reply! I do not have proxy configured in OfflineSA -- I don't see an option in qvm-prefs anymore (thought this was all now done in rpc-policy as of qubes 4). Can you please point me to how to configure? -m0ssy -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9d4df88e-f5aa-3c31-1f96-93b4369c8baf%40riseup.net. For more options, visit https://groups.google.com/d/optout.
