On 1/15/20 3:44 AM, tetrahedra via qubes-users wrote:
On Tue, Jan 14, 2020 at 04:46:16PM +0100, David Hobach wrote:You'll find the explanations in the respective iptables and/or nftables rules of the next hop networking VM.What do you mean by "next hop networking VM"?
Most users have a setup such as VM --> sys-fw --> sys-net The next hop from VM is then sys-fw, i.e. you'd have to look there.There you'll see in nft list ruleset that port 53 forwarding traffic only has a non-effective DNAT rule (DNAT to the same IP it had before). Otherwise it's forwarded as by your routing table to sys-net. In /etc/resolv.conf you'll see that the imaginary IPs 10.139.1.1/2 are used as DNS servers for traffic originating from sys-fw (same as in VM).
Then in sys-net the imaginary IPs are DNATted to your DNS server (usually your router).
This all assumes that you allowed DNS with qvm-firewall. If you don't or do other changes, iptables/nft changes will happen inside sys-fw / the next hop networking VM.
Watch out that both nft and iptables are used. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a0903e21-6f4b-b80d-ad65-5f4d11152268%40hackingthe.net.
smime.p7s
Description: S/MIME Cryptographic Signature
