"Eric W. Biederman" <ebied...@xmission.com> writes: > "Eric W. Biederman" <ebied...@xmission.com> writes: > >>> https://www.qubes-os.org/doc/firewall has information about enabling >>> networking between qubes. >> >> I am going to spin up a second firewall vm and poke some more, and >> see if I can get somewhere. > > I figured it out. Apparently both iptables rules and nftable > rules are both being configured to prevent qubes from talking > to each other. > > The redundancy was a real surprise, as that is just unnecessary > overhead. > > Using nftables must be a recent addition and the firewall > Documentation has not caught up.
It looks like it is some weird fedora34 compatibility thing, and not the qubes scripts that was causing my problem. What worked for me was adding the following two lines to my /rw/config/qubes-firewall-user-script > # For some reason a duplicate nftables ruleset is getting created > # that mirrors the iptables ruleset. Flush it so that only iptables > # needs to be dealt with. > nft flush ruleset > > # Allow my two development machines to talk to each other. > iptables -I FORWARD 2 -s 10.137.0.33 -d 10.137.0.13 -j ACCEPT > iptables -I FORWARD 2 -s 10.137.0.13 -d 10.137.0.33 -j ACCEPT In particular "nft flush ruleset" was needed before any iptables changes were reflected in the forwarding behavior. What is the appropriate way to get https://www.qubes-os.org/doc/firewall updated to reflect that people my have to deal with this? Eric -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/87o8411095.fsf%40email.froward.int.ebiederm.org.
