Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Well I wasn't aware routing / forwarding can be such complex, and indeed it is a full time job, you can't become network admin just like that, it takes time. So I realized I shouldn't have posted here, my bad. Any admin feel free to delete this subject if you want to, no problem. So I am actually gathering knowledge on the subject to be able eventually at the end of the day to create a very little local Qubes network with a serverVM to host my website/a clientVM to test it/a proxyVM acting as a router :) I followed a course refering a lot to the old "route" cmd on Linux, but no chance, I can't make it run or install it on Qubes, the cmd has been depreciated, now you need to use iproute2 ! Hopefully I just found another tutorial in french to understand how to use iproute http://www.inetdoc.net/guides/lartc/lartc.iproute2.explore.html -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/966e00b0-850e-45a5-9bfe-04c7a37fa15d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 17:43:35 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On the contrary, we care greatly about translating the documentation into > other languages. We're working with Transifex right now to have the > documentation translated: > > https://github.com/QubesOS/qubes-issues/issues/1452 > Ok my bad, I didn't knew about this projet. Then it is fine, it would help a lot people not used to read english. > > We welcome your participation! Michael (CCed) is the main contact with > Transifex. He may have a better idea about how members of the Qubes community > like yourself can get involved. > Ok thank you, he can contact me on this email if you want me to help to traduce some pages, no problem. I don't type very fast and I'm not that young, but if you lack people to help traduce in their native langage, I can help. > > I didn't mean to suggest that it's immune to criticism. On the contrary, > constructive criticism is always welcome. > Sure, I was just a bit on nerves yesterday, sorry about that. > > However, you said, "I don't get why documentation don't address..." I was > simply explaining why. The documentation is lacking such things because no one > has contributed them. > > I think it's fair to beseech documentation contributors to consider these > things. But, in the end, it's up to them what knowledge (if any) they will > contribute. > Good point, I have thought about your answer yesterday more rested and just begun a course today about TCP/IP networks, OSI model in 7 layers to understand better how routing works, how packets travel from layer 7 to your own switch / bridge ! This is quite interesting, but my attention scattered to another one on how to convert decimals numbers into hexadecimals or binary numbers ^^ > I don't know if it's going to be useful, but yes, it was interesting to realize an IPv4 adress is coded on 32 bits, which is 4 octets, and that 1 octet reach 255 maximum in decimal form because it is coded on 8 bits, which is 2^8=256, and as you start from 0, you get this number. And that we're going to switch to IPv6 because you have only 2^32 numbers available (4,2 billions) and we are already 7,3 billions here on Earth ! That's also why I want to host my website on my own cpu bc you need energy to make a server work, Earth is dying, who cares my beginner site being unavailable 8-12 hours a day, as long as I warn folk when it opens lol. You can also think about Qubes in an ecological point of view as it centralizes different OS and allows you to avoid having more computers to preserve data : you save energy. > Those numbers make you wonder how unreal in less than 50 years we went from 1 bit (0-1), to this very simple potential electric difference coding 2 values, to a world wide web page full of data ^^ I guess we invented aliens to communicate with we didn't found (yet) so far :D Because if you think about one typo here, like my little D surrounded by 2 symbols (lol), if you think about all characters options available in all languages over the whole world for those 2 symbols, I wouldn't be surprise this beast gets so huge that it can't hold in 1 octet/1byte/256 options haha (btw in french you add e to "bit", you get a D :D). I hope you enjoy my delicate poetry on digits man lol ~ > P.S. : If quoting you fails again, please excuse me, I don't get how to do it properly inside your message :( > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJXux2fAAoJENtN07w5UDAw4wUP/j0uDCgbx80Cm714mi6vDB/Z > 8NBXlMLV6hzA8HtVW3Z2Rfo7pY/Fe8uQLskJ+h8SluWDw2srUHXSsv2ETIBsUzC9 > 0m9HaSLJU+UxO7Vc8VFi2FTiUlFKxhBnhFYWGwSqir0QI+OZP6Mx1id/MgtvGkYk > TDWtljt7hvgjR6hnX1GqU6u0Bg3O1KZHSNhcC98RQZjy9LWOgIkAPKWpK98FheYi > N5QMRTJwfrUEFIEumCf6xzG3jiolJlmGEPkKDfk9+GaKxd0koHbENMWqfvlz2Zbo > pq9gBzkW44K88pcWpS4CLkvonMDdXienRWzy7ut5kQsEfNuw4MVGMkqy9YUGkhlJ > 9mbZx8AB1yPs0LRdQpCk9noh4g4QWr9XREHQC2+FgazYQD1P4rcZDXt8r0JJdH2W > E5GJbqWWwQj+Rn0VbI4TbuXZJlw8gOeiUXRSKu821EhXu37dtiNI+XKszx8iPfXA > 9EbAd9O4hulVq3866eWX86Sc/MKnNE/Frw0M8ObHvvXnweI2VwUNMeZCJ2VKO5KG > vWQkTi83YAkHqvk8YOFCV7+oOQAyGymHZzjCUWvOWvDjBX/wtSgcmEt3rMq8MklX > G3ZFzGdkC2h2VeEqwojhMNZ1UWHNvwv+KV6ySJf5p3ZrGqZKO6olIlbZZNnT2HDe > OW2eq0Sr3P3Qtdn9iXao > =6qZC > -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0b4dfff0-4c9a-42ac-9356-8fedd7bd4306%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-22 02:47, nishiwak...@gmail.com wrote: > I would love as well to be able to host a website to share my interest for > Qubes OS with the world, or at least with people of my country sharing my > own language if you don't mind, because Qubes OS documentation looks like > imo being written mostly by native english users that don't seem to care > much for non-native english users being lost. On the contrary, we care greatly about translating the documentation into other languages. We're working with Transifex right now to have the documentation translated: https://github.com/QubesOS/qubes-issues/issues/1452 > I would this way really like to participate to some translation effort, as > I don't necessarily think you can enter easily those quite complicated > notions with your non-native language. We welcome your participation! Michael (CCed) is the main contact with Transifex. He may have a better idea about how members of the Qubes community like yourself can get involved. > Qubes documentation being largely a volonteer effort doesn't make it > immune to the critics, I didn't mean to suggest that it's immune to criticism. On the contrary, constructive criticism is always welcome. However, you said, "I don't get why documentation don't address..." I was simply explaining why. The documentation is lacking such things because no one has contributed them. > and mine is that people spending this valuable time to share their > knowledge to make people enter quite long and complicated procedures should > consider that : 1) Explaining how to do port forwarding without adressing > or refering to basic knowledge upon this concept leads to frustration, as > you necessarily need to understand a bit what's going on in order to adapt > the procedures. 2) Even if I think people mostly appreciate and are > thankful to the Qubes community developpment for the incredible security > improvement Qubes OS brings to everyone and that makes Qubes OS probably > the best OS I know so far, when security isolation somehow puts you in cage > where you encounter difficulties to communicate with rest of the world, > well that's not the goal per se :p > I think it's fair to beseech documentation contributors to consider these things. But, in the end, it's up to them what knowledge (if any) they will contribute. > But no problem, thank you for your help. I hope someone might give me some > advices on this problem, but I am already trying to learn on iptables, as > it looks like you can't unblock ports using only Qubes firewall, you have > to understand these iptables scripts ^^ > - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXux2fAAoJENtN07w5UDAw4wUP/j0uDCgbx80Cm714mi6vDB/Z 8NBXlMLV6hzA8HtVW3Z2Rfo7pY/Fe8uQLskJ+h8SluWDw2srUHXSsv2ETIBsUzC9 0m9HaSLJU+UxO7Vc8VFi2FTiUlFKxhBnhFYWGwSqir0QI+OZP6Mx1id/MgtvGkYk TDWtljt7hvgjR6hnX1GqU6u0Bg3O1KZHSNhcC98RQZjy9LWOgIkAPKWpK98FheYi N5QMRTJwfrUEFIEumCf6xzG3jiolJlmGEPkKDfk9+GaKxd0koHbENMWqfvlz2Zbo pq9gBzkW44K88pcWpS4CLkvonMDdXienRWzy7ut5kQsEfNuw4MVGMkqy9YUGkhlJ 9mbZx8AB1yPs0LRdQpCk9noh4g4QWr9XREHQC2+FgazYQD1P4rcZDXt8r0JJdH2W E5GJbqWWwQj+Rn0VbI4TbuXZJlw8gOeiUXRSKu821EhXu37dtiNI+XKszx8iPfXA 9EbAd9O4hulVq3866eWX86Sc/MKnNE/Frw0M8ObHvvXnweI2VwUNMeZCJ2VKO5KG vWQkTi83YAkHqvk8YOFCV7+oOQAyGymHZzjCUWvOWvDjBX/wtSgcmEt3rMq8MklX G3ZFzGdkC2h2VeEqwojhMNZ1UWHNvwv+KV6ySJf5p3ZrGqZKO6olIlbZZNnT2HDe OW2eq0Sr3P3Qtdn9iXao =6qZC -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4a7efd74-de1c-d72a-a345-f5c39f32d5d3%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
I would love as well to be able to host a website to share my interest for Qubes OS with the world, or at least with people of my country sharing my own language if you don't mind, because Qubes OS documentation looks like imo being written mostly by native english users that don't seem to care much for non-native english users being lost. I would this way really like to participate to some translation effort, as I don't necessarily think you can enter easily those quite complicated notions with your non-native language. Qubes documentation being largely a volonteer effort doesn't make it immune to the critics, and mine is that people spending this valuable time to share their knowledge to make people enter quite long and complicated procedures should consider that : 1) Explaining how to do port forwarding without adressing or refering to basic knowledge upon this concept leads to frustration, as you necessarily need to understand a bit what's going on in order to adapt the procedures. 2) Even if I think people mostly appreciate and are thankful to the Qubes community developpment for the incredible security improvement Qubes OS brings to everyone and that makes Qubes OS probably the best OS I know so far, when security isolation somehow puts you in cage where you encounter difficulties to communicate with rest of the world, well that's not the goal per se :p But no problem, thank you for your help. I hope someone might give me some advices on this problem, but I am already trying to learn on iptables, as it looks like you can't unblock ports using only Qubes firewall, you have to understand these iptables scripts ^^ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2bd4b2f6-ea3c-476e-9586-feadd5559f63%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-08-21 16:43, nishiwak...@gmail.com wrote: > > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On > > 2016-08-21 04:02, nishiwak...@gmail.com wrote: > Any help to configure sys-firewall would be also really appreciated. > I got this annoying pop-up when I click on "Firewall rules" tab under > the sys-firewall proxyVM settings : > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > You may edit the 'sys-firewall' VM firewall rules, but these will > not take any effect until you connect it to a working Firewall VM." > > Only subject related to this problem I found is this message from > Unman on Qubes-users group : > > "When you configure the firewall rules for a vm those rules are > applied ON THE FIREWALL to which the vm is attached. So the error > message you get is entirely accurate - your firewall is not attached > to a firewall and so the rules cannot be applied. Of course you COULD > configure a firewall between the fw and the netvm but the same > consideration would apply to THAT fw. There's no reason why you cant > configure the fw iptables by hand if you want to: you can use > /rw/config/qubes-firewall-user-script to have these rules applied > automatically." > > Ok so here's what I understand from this message : this proxyVM > Firewall is probably working but rules don't apply because it is > attached to a NetVM, which don't have any firewall policies by > default. > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation > says : "Every VM in Qubes is connected to the network via a > FirewallVM, which is used to enforce network-level policies. By > default there is one default Firewall VM, but the user is free to > create more, if needed." > > And then you got explanations on how to edit rules in a specific VM > for a given domain. > > So I understand you have to edit rules on a AppVM to open up ports > there, but I mean not everyone running Qubes OS is highly graduated > in IT and network routing. > > I find quite disappointing that the official documentation don't > mention more clearly how to set up the default sys-firewall proxyVM, > like if you are supposed to check either "Deny network access > except" or "Allow network access except" button or if that doesn't > matter, if those policies won't apply anyway because of this > pop-up... > > > > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > > there. > > > > Suppose you have an AppVM in which you want to enforce specific firewall > > rules. You should go into the VM settings for *that VM*, then the "Firewall > > rules" tab, then configure your firewall rules there. These firewall > > rules are then *enforced by* sys-firewall under the hood. Enforcing these > > rules for other VMs is sys-firewall's raison d'être. > > > > By default, there is only one VM with this job: sys-firewall. Therefore, > > there is no other VM that can perform this job *for* sys-firewall. But > > that's not a problem, because there's usually no reason to specify firewall > > rules for sys-firewall itself anyway. (Besides, you're free to create as > > many ProxyVMs as you like an chain them together.) > > > > > > Ok, thank you very much for your help. Unfortunately I still have great > > difficulties to open up port 443 or 80 on an AppVM. > > > > I have read this comment on another thread from Alex Dubois saying : > > > > "A diagram in the wiki would help people understand. > > > > For now: A packet comming from the outside has a sourceIP of the > > workstation on the LAN that issued it or the router that routed the packet > > into your LAN and a destinationIP of your netVM externalIP (probably > > 192.168.0.x). The NetVM iptables rules are going to transform it to a > > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM > > iptables rule are going to transform it to a packet with a desktinationIP > > of your AppVM (10.137.2.16)." > > > > I completely agree with him, a diagram would really help. I don't get why > > documentation don't address the routing basics stuff that isn't really > > basic for newbies, for random people. > > The documentation is largely a volunteer effort. I'm afraid we simply don't > have the workforce to make all necessary and desirable improvements to the > documentation. We would love it if someone would submit a pull request adding > such a diagram or, in general, improving that page. > > > I like a lot Qubes, this is an awesome OS, but far too complicated for > > mister everyone. I am at the point right now where frustration becomes > > o
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-08-21 16:43, nishiwak...@gmail.com wrote: > > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On > > 2016-08-21 04:02, nishiwak...@gmail.com wrote: > Any help to configure sys-firewall would be also really appreciated. > I got this annoying pop-up when I click on "Firewall rules" tab under > the sys-firewall proxyVM settings : > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > You may edit the 'sys-firewall' VM firewall rules, but these will > not take any effect until you connect it to a working Firewall VM." > > Only subject related to this problem I found is this message from > Unman on Qubes-users group : > > "When you configure the firewall rules for a vm those rules are > applied ON THE FIREWALL to which the vm is attached. So the error > message you get is entirely accurate - your firewall is not attached > to a firewall and so the rules cannot be applied. Of course you COULD > configure a firewall between the fw and the netvm but the same > consideration would apply to THAT fw. There's no reason why you cant > configure the fw iptables by hand if you want to: you can use > /rw/config/qubes-firewall-user-script to have these rules applied > automatically." > > Ok so here's what I understand from this message : this proxyVM > Firewall is probably working but rules don't apply because it is > attached to a NetVM, which don't have any firewall policies by > default. > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation > says : "Every VM in Qubes is connected to the network via a > FirewallVM, which is used to enforce network-level policies. By > default there is one default Firewall VM, but the user is free to > create more, if needed." > > And then you got explanations on how to edit rules in a specific VM > for a given domain. > > So I understand you have to edit rules on a AppVM to open up ports > there, but I mean not everyone running Qubes OS is highly graduated > in IT and network routing. > > I find quite disappointing that the official documentation don't > mention more clearly how to set up the default sys-firewall proxyVM, > like if you are supposed to check either "Deny network access > except" or "Allow network access except" button or if that doesn't > matter, if those policies won't apply anyway because of this > pop-up... > > > > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > > there. > > > > Suppose you have an AppVM in which you want to enforce specific firewall > > rules. You should go into the VM settings for *that VM*, then the "Firewall > > rules" tab, then configure your firewall rules there. These firewall > > rules are then *enforced by* sys-firewall under the hood. Enforcing these > > rules for other VMs is sys-firewall's raison d'être. > > > > By default, there is only one VM with this job: sys-firewall. Therefore, > > there is no other VM that can perform this job *for* sys-firewall. But > > that's not a problem, because there's usually no reason to specify firewall > > rules for sys-firewall itself anyway. (Besides, you're free to create as > > many ProxyVMs as you like an chain them together.) > > > > > > Ok, thank you very much for your help. Unfortunately I still have great > > difficulties to open up port 443 or 80 on an AppVM. > > > > I have read this comment on another thread from Alex Dubois saying : > > > > "A diagram in the wiki would help people understand. > > > > For now: A packet comming from the outside has a sourceIP of the > > workstation on the LAN that issued it or the router that routed the packet > > into your LAN and a destinationIP of your netVM externalIP (probably > > 192.168.0.x). The NetVM iptables rules are going to transform it to a > > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM > > iptables rule are going to transform it to a packet with a desktinationIP > > of your AppVM (10.137.2.16)." > > > > I completely agree with him, a diagram would really help. I don't get why > > documentation don't address the routing basics stuff that isn't really > > basic for newbies, for random people. > > The documentation is largely a volunteer effort. I'm afraid we simply don't > have the workforce to make all necessary and desirable improvements to the > documentation. We would love it if someone would submit a pull request adding > such a diagram or, in general, improving that page. > > > I like a lot Qubes, this is an awesome OS, but far too complicated for > > mister everyone. I am at the point right now where frustration becomes > > o
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > The documentation is largely a volunteer effort. I'm afraid we simply don't > have the workforce to make all necessary and desirable improvements to the > documentation. We would love it if someone would submit a pull request adding > such a diagram or, in general, improving that page. I would love as well to be able to host a website to share my interest for Qubes OS with the world, or at least, with people of my country sharing my own language, if you don't mind, because Qubes documentation looks like imo being written mostly by native english users that don't seem to care much for non-native english users being lost. I would this way really like to participate to some translation effort, as I don't necessarily think you can enter easily those quite complicated notions with your non-native language. Qubes documentation being largely a volonteer effort doesn't make it immune to the critics, and mine is that people spending this valuable time to share their knowledge to make people enter quite long and complicated procedures should consider that : 1) Explaining how to do port forwarding without adressing or refering to basic knowledge upon this concept leads to frustration, as you necessarily need to understand a bit what's going on in order to adapt the procedures. 2) Even if I think people mostly appreciate and are thankful to the Qubes community developpment for the incredible security improvement Qubes OS brings to everyone and that makes Qubes OS probably the best OS I know so far, when security isolation somehow puts you in cage where you encounter difficulties to communicate with rest of the world, well that's not the goal per se :p > Sorry, this is beyond my knowledge. My own use of Qubes (as a regular user) > has never occasioned the need to port forward to a VM from the outside world. > Perhaps it's worth appreciating that what you're attempting to do is somewhat > advanced, and therefore you should not expect it to be extremely simple. In > any case, I hope someone knowledgeable about networking will chime in to help > you with this. No problem, thank you for your help. I hope someone might give me some advices on this problem, but I am already trying to learn on iptables, as it looks like you can't unblock ports using only Qubes firewall, you have to understand these iptables scripts ^^ > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJXulK8AAoJENtN07w5UDAwKRgP/3qtwhSLXRCI03DqA76JMo2o > 2d24pqwjw9f/rX3ep36qHN1Y4iSSP/la/ze9dgoWPnyXakrB8R7olqasV2o4Z9+v > ZyLqSOKF6R2KPUSyl1vE6Tc4F6l068wOcQnNphq+tmZEHX8VFprYgkzchXCMj9fp > sVsU7Xk0prNXs/FWqxzPTJzbC7lPRuJ0OBTHdj8uvatJ6eeb6QxRI3hKWu2nXpCM > 7ugxLc8Lvy5Ntjp40DoQOMidSDU2WmNyUBAfrlUGjIXVxu7mzk45P67cPG5Zuvo9 > KchQgu44N4bgm2tdkHg248iyB/GzolsObs3BQCzadMz7E2jv8YVU8u0rAD41OGON > rDTqnDp5VEdo72iNijyZkXh+in/cmtAG9FY1JisTgeZhxTXJmMlzduDIaB2+QjBH > UBeU9DxeeXtthmYIlmoq40gbLUnEW4KkMfyky99vWZcUHnCzdVd9l12+PDJkIAF5 > N2la7fqnAh5ElsdT3nBzECb7C5CYtW3zFB/oEDrmsObinIF5E0ohPdwWnXn++jCF > kwurhgtReWPCxfd+JeIJTi3bQxE24pnPkTT4KYPcOloE9RHwGd5EsAIxkvbPb/po > aUn1edDzVtnoyrXa/FVODd0IxW9TjFq1RGk8d9mXPSb01fKrKIOUQXnhyfwiY5gK > sW6MaE08rTguFWY2Ng9q > =E9Mf > -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b4d805e9-e81a-422b-a8a2-67a5b2578091%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-08-21 16:43, nishiwak...@gmail.com wrote: > > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On > > 2016-08-21 04:02, nishiwak...@gmail.com wrote: > Any help to configure sys-firewall would be also really appreciated. > I got this annoying pop-up when I click on "Firewall rules" tab under > the sys-firewall proxyVM settings : > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > You may edit the 'sys-firewall' VM firewall rules, but these will > not take any effect until you connect it to a working Firewall VM." > > Only subject related to this problem I found is this message from > Unman on Qubes-users group : > > "When you configure the firewall rules for a vm those rules are > applied ON THE FIREWALL to which the vm is attached. So the error > message you get is entirely accurate - your firewall is not attached > to a firewall and so the rules cannot be applied. Of course you COULD > configure a firewall between the fw and the netvm but the same > consideration would apply to THAT fw. There's no reason why you cant > configure the fw iptables by hand if you want to: you can use > /rw/config/qubes-firewall-user-script to have these rules applied > automatically." > > Ok so here's what I understand from this message : this proxyVM > Firewall is probably working but rules don't apply because it is > attached to a NetVM, which don't have any firewall policies by > default. > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation > says : "Every VM in Qubes is connected to the network via a > FirewallVM, which is used to enforce network-level policies. By > default there is one default Firewall VM, but the user is free to > create more, if needed." > > And then you got explanations on how to edit rules in a specific VM > for a given domain. > > So I understand you have to edit rules on a AppVM to open up ports > there, but I mean not everyone running Qubes OS is highly graduated > in IT and network routing. > > I find quite disappointing that the official documentation don't > mention more clearly how to set up the default sys-firewall proxyVM, > like if you are supposed to check either "Deny network access > except" or "Allow network access except" button or if that doesn't > matter, if those policies won't apply anyway because of this > pop-up... > > > > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > > there. > > > > Suppose you have an AppVM in which you want to enforce specific firewall > > rules. You should go into the VM settings for *that VM*, then the "Firewall > > rules" tab, then configure your firewall rules there. These firewall > > rules are then *enforced by* sys-firewall under the hood. Enforcing these > > rules for other VMs is sys-firewall's raison d'être. > > > > By default, there is only one VM with this job: sys-firewall. Therefore, > > there is no other VM that can perform this job *for* sys-firewall. But > > that's not a problem, because there's usually no reason to specify firewall > > rules for sys-firewall itself anyway. (Besides, you're free to create as > > many ProxyVMs as you like an chain them together.) > > > > > > Ok, thank you very much for your help. Unfortunately I still have great > > difficulties to open up port 443 or 80 on an AppVM. > > > > I have read this comment on another thread from Alex Dubois saying : > > > > "A diagram in the wiki would help people understand. > > > > For now: A packet comming from the outside has a sourceIP of the > > workstation on the LAN that issued it or the router that routed the packet > > into your LAN and a destinationIP of your netVM externalIP (probably > > 192.168.0.x). The NetVM iptables rules are going to transform it to a > > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM > > iptables rule are going to transform it to a packet with a desktinationIP > > of your AppVM (10.137.2.16)." > > > > I completely agree with him, a diagram would really help. I don't get why > > documentation don't address the routing basics stuff that isn't really > > basic for newbies, for random people. > > The documentation is largely a volunteer effort. I'm afraid we simply don't > have the workforce to make all necessary and desirable improvements to the > documentation. We would love it if someone would submit a pull request adding > such a diagram or, in general, improving that page. > > > I like a lot Qubes, this is an awesome OS, but far too complicated for > > mister everyone. I am at the point right now where frustration becomes > > o
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-08-21 16:43, nishiwak...@gmail.com wrote: > > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On > > 2016-08-21 04:02, nishiwak...@gmail.com wrote: > Any help to configure sys-firewall would be also really appreciated. > I got this annoying pop-up when I click on "Firewall rules" tab under > the sys-firewall proxyVM settings : > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > You may edit the 'sys-firewall' VM firewall rules, but these will > not take any effect until you connect it to a working Firewall VM." > > Only subject related to this problem I found is this message from > Unman on Qubes-users group : > > "When you configure the firewall rules for a vm those rules are > applied ON THE FIREWALL to which the vm is attached. So the error > message you get is entirely accurate - your firewall is not attached > to a firewall and so the rules cannot be applied. Of course you COULD > configure a firewall between the fw and the netvm but the same > consideration would apply to THAT fw. There's no reason why you cant > configure the fw iptables by hand if you want to: you can use > /rw/config/qubes-firewall-user-script to have these rules applied > automatically." > > Ok so here's what I understand from this message : this proxyVM > Firewall is probably working but rules don't apply because it is > attached to a NetVM, which don't have any firewall policies by > default. > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation > says : "Every VM in Qubes is connected to the network via a > FirewallVM, which is used to enforce network-level policies. By > default there is one default Firewall VM, but the user is free to > create more, if needed." > > And then you got explanations on how to edit rules in a specific VM > for a given domain. > > So I understand you have to edit rules on a AppVM to open up ports > there, but I mean not everyone running Qubes OS is highly graduated > in IT and network routing. > > I find quite disappointing that the official documentation don't > mention more clearly how to set up the default sys-firewall proxyVM, > like if you are supposed to check either "Deny network access > except" or "Allow network access except" button or if that doesn't > matter, if those policies won't apply anyway because of this > pop-up... > > > > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > > there. > > > > Suppose you have an AppVM in which you want to enforce specific firewall > > rules. You should go into the VM settings for *that VM*, then the "Firewall > > rules" tab, then configure your firewall rules there. These firewall > > rules are then *enforced by* sys-firewall under the hood. Enforcing these > > rules for other VMs is sys-firewall's raison d'être. > > > > By default, there is only one VM with this job: sys-firewall. Therefore, > > there is no other VM that can perform this job *for* sys-firewall. But > > that's not a problem, because there's usually no reason to specify firewall > > rules for sys-firewall itself anyway. (Besides, you're free to create as > > many ProxyVMs as you like an chain them together.) > > > > > > Ok, thank you very much for your help. Unfortunately I still have great > > difficulties to open up port 443 or 80 on an AppVM. > > > > I have read this comment on another thread from Alex Dubois saying : > > > > "A diagram in the wiki would help people understand. > > > > For now: A packet comming from the outside has a sourceIP of the > > workstation on the LAN that issued it or the router that routed the packet > > into your LAN and a destinationIP of your netVM externalIP (probably > > 192.168.0.x). The NetVM iptables rules are going to transform it to a > > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM > > iptables rule are going to transform it to a packet with a desktinationIP > > of your AppVM (10.137.2.16)." > > > > I completely agree with him, a diagram would really help. I don't get why > > documentation don't address the routing basics stuff that isn't really > > basic for newbies, for random people. > > The documentation is largely a volunteer effort. I'm afraid we simply don't > have the workforce to make all necessary and desirable improvements to the > documentation. We would love it if someone would submit a pull request adding > such a diagram or, in general, improving that page. > I would love as well to be able to host a website to share my interest for Qubes OS with the world, or at least, with people of my country sharing my own
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-21 16:43, nishiwak...@gmail.com wrote: > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On > 2016-08-21 04:02, nishiwak...@gmail.com wrote: Any help to configure sys-firewall would be also really appreciated. I got this annoying pop-up when I click on "Firewall rules" tab under the sys-firewall proxyVM settings : "The 'sys-firewall' AppVM is not network connected to a FirewallVM! You may edit the 'sys-firewall' VM firewall rules, but these will not take any effect until you connect it to a working Firewall VM." Only subject related to this problem I found is this message from Unman on Qubes-users group : "When you configure the firewall rules for a vm those rules are applied ON THE FIREWALL to which the vm is attached. So the error message you get is entirely accurate - your firewall is not attached to a firewall and so the rules cannot be applied. Of course you COULD configure a firewall between the fw and the netvm but the same consideration would apply to THAT fw. There's no reason why you cant configure the fw iptables by hand if you want to: you can use /rw/config/qubes-firewall-user-script to have these rules applied automatically." Ok so here's what I understand from this message : this proxyVM Firewall is probably working but rules don't apply because it is attached to a NetVM, which don't have any firewall policies by default. https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says : "Every VM in Qubes is connected to the network via a FirewallVM, which is used to enforce network-level policies. By default there is one default Firewall VM, but the user is free to create more, if needed." And then you got explanations on how to edit rules in a specific VM for a given domain. So I understand you have to edit rules on a AppVM to open up ports there, but I mean not everyone running Qubes OS is highly graduated in IT and network routing. I find quite disappointing that the official documentation don't mention more clearly how to set up the default sys-firewall proxyVM, like if you are supposed to check either "Deny network access except" or "Allow network access except" button or if that doesn't matter, if those policies won't apply anyway because of this pop-up... > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > there. > > Suppose you have an AppVM in which you want to enforce specific firewall > rules. You should go into the VM settings for *that VM*, then the "Firewall > rules" tab, then configure your firewall rules there. These firewall > rules are then *enforced by* sys-firewall under the hood. Enforcing these > rules for other VMs is sys-firewall's raison d'être. > > By default, there is only one VM with this job: sys-firewall. Therefore, > there is no other VM that can perform this job *for* sys-firewall. But > that's not a problem, because there's usually no reason to specify firewall > rules for sys-firewall itself anyway. (Besides, you're free to create as > many ProxyVMs as you like an chain them together.) > > > Ok, thank you very much for your help. Unfortunately I still have great > difficulties to open up port 443 or 80 on an AppVM. > > I have read this comment on another thread from Alex Dubois saying : > > "A diagram in the wiki would help people understand. > > For now: A packet comming from the outside has a sourceIP of the > workstation on the LAN that issued it or the router that routed the packet > into your LAN and a destinationIP of your netVM externalIP (probably > 192.168.0.x). The NetVM iptables rules are going to transform it to a > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM > iptables rule are going to transform it to a packet with a desktinationIP > of your AppVM (10.137.2.16)." > > I completely agree with him, a diagram would really help. I don't get why > documentation don't address the routing basics stuff that isn't really > basic for newbies, for random people. The documentation is largely a volunteer effort. I'm afraid we simply don't have the workforce to make all necessary and desirable improvements to the documentation. We would love it if someone would submit a pull request adding such a diagram or, in general, improving that page. > I like a lot Qubes, this is an awesome OS, but far too complicated for > mister everyone. I am at the point right now where frustration becomes > overwhelming. I don't think I am not curious, trying to improve or > understand better the way this OS works... I'm just going mad tonight, > lol. > > So let me try to sum up this comment in a visual way to understand better > how routing works on Qubes. > >
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-08-21 04:02, nishiwak...@gmail.com wrote: > > Any help to configure sys-firewall would be also really appreciated. I got > > this annoying pop-up when I click on "Firewall rules" tab under the > > sys-firewall proxyVM settings : > > > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > > > You may edit the 'sys-firewall' VM firewall rules, but these will not take > > any effect until you connect it to a working Firewall VM." > > > > Only subject related to this problem I found is this message from Unman on > > Qubes-users group : > > > > "When you configure the firewall rules for a vm those rules are applied ON > > THE FIREWALL to which the vm is attached. So the error message you get is > > entirely accurate - your firewall is not attached to a firewall and so the > > rules cannot be applied. Of course you COULD configure a firewall between > > the fw and the netvm but the same consideration would apply to THAT fw. > > There's no reason why you cant configure the fw iptables by hand if you > > want to: you can use /rw/config/qubes-firewall-user-script to have these > > rules applied automatically." > > > > Ok so here's what I understand from this message : this proxyVM Firewall is > > probably working but rules don't apply because it is attached to a NetVM, > > which don't have any firewall policies by default. > > > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says : > > "Every VM in Qubes is connected to the network via a FirewallVM, which is > > used to enforce network-level policies. By default there is one default > > Firewall VM, but the user is free to create more, if needed." > > > > And then you got explanations on how to edit rules in a specific VM for a > > given domain. > > > > So I understand you have to edit rules on a AppVM to open up ports there, > > but I mean not everyone running Qubes OS is highly graduated in IT and > > network routing. > > > > I find quite disappointing that the official documentation don't mention > > more clearly how to set up the default sys-firewall proxyVM, like if you > > are supposed to check either "Deny network access except" or "Allow network > > access except" button or if that doesn't matter, if those policies won't > > apply anyway because of this pop-up... > > > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > there. > > Suppose you have an AppVM in which you want to enforce specific firewall > rules. You should go into the VM settings for *that VM*, then the "Firewall > rules" tab, then configure your firewall rules there. These firewall rules are > then *enforced by* sys-firewall under the hood. Enforcing these rules for > other VMs is sys-firewall's raison d'être. > > By default, there is only one VM with this job: sys-firewall. Therefore, there > is no other VM that can perform this job *for* sys-firewall. But that's not a > problem, because there's usually no reason to specify firewall rules for > sys-firewall itself anyway. (Besides, you're free to create as many ProxyVMs > as you like an chain them together.) > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJXugDBAAoJENtN07w5UDAwLuQQAIlyBs1aeKEiQH2+W0WrNH5l > VTCgtYo+rY3doNjScY95iCZB1e/s2v/RtbDKyXwot6lGFjUoRJTRdK2O78/j/6GS > 1ggqrrtoX2KHB77RN3tJm65d2PqgpQM3G9opU8mUp89Ek0MHhjLl3vLMOUeekIXG > RGhRwOruLZ3D4WkZDpRpqH3qnnrARDmAM32KOeFUKeDGwl1HPM2H78zlyGHWNEYv > SammV42RbOFe3feWUDohCU2V0uMyZcn2jz3HSNfzM1/B/JQ2dvsm3xv4KDCtkZdC > Prugken58eEK2T5s38QnN7JBhgHmvS3jB+X4IoN5eM3D8DabbTU78cGK8Z8He4pq > kzHae//wxS9vcQ3aWjSbUc/Jz+P32jNHYbBtqRcNxT2p8AWcysaEMEsSvDPT4X6t > 89II0Q0aHGX2TGQswKgWHtXuX00Qp7XL2T5mL3EaEXvM/BWMPMnxAEGocVLRbcl5 > TO3ewl/LVJEiGiL6hwj66FuNeIVlYkxHJ2ZQ8VM6NYu6TN96fLrbYxyBE3yNmcJj > DwVi2rwsTYtnFt4znaBOnNmAIwBNRa9z66Y04KXGcyaq+6i9D66J2Yh3NkuWwKfj > /8dBEST20BJB8+8KYX7F1cZt62hVQANYgaGqhFn+x3tMme5FClmK7obvBlMe6gJu > 5SGrV5qlobdhla78qT1T > =iqUV > -END PGP SIGNATURE- Ok, thank you very much for your help. Unfortunately I still have great difficulties to open up port 443 or 80 on an AppVM. I have read this comment on another thread from Alex Dubois saying : "A diagram in the wiki would help people understand. For now: A packet comming from the outside has a sourceIP of the workstation on the LAN that issued it or the router that routed the packet into your LAN and a destinationIP of your netVM externalIP (probably 192.168.0.x). The NetVM iptables rules are going to transform it to a packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM iptables rule are going to transform it to a packet with a desktinationIP of your AppVM (10.137.2.16)." I completely agree with him, a diagram would really help. I don't get why documentation d
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-21 04:02, nishiwak...@gmail.com wrote: > Any help to configure sys-firewall would be also really appreciated. I got > this annoying pop-up when I click on "Firewall rules" tab under the > sys-firewall proxyVM settings : > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > You may edit the 'sys-firewall' VM firewall rules, but these will not take > any effect until you connect it to a working Firewall VM." > > Only subject related to this problem I found is this message from Unman on > Qubes-users group : > > "When you configure the firewall rules for a vm those rules are applied ON > THE FIREWALL to which the vm is attached. So the error message you get is > entirely accurate - your firewall is not attached to a firewall and so the > rules cannot be applied. Of course you COULD configure a firewall between > the fw and the netvm but the same consideration would apply to THAT fw. > There's no reason why you cant configure the fw iptables by hand if you > want to: you can use /rw/config/qubes-firewall-user-script to have these > rules applied automatically." > > Ok so here's what I understand from this message : this proxyVM Firewall is > probably working but rules don't apply because it is attached to a NetVM, > which don't have any firewall policies by default. > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says : > "Every VM in Qubes is connected to the network via a FirewallVM, which is > used to enforce network-level policies. By default there is one default > Firewall VM, but the user is free to create more, if needed." > > And then you got explanations on how to edit rules in a specific VM for a > given domain. > > So I understand you have to edit rules on a AppVM to open up ports there, > but I mean not everyone running Qubes OS is highly graduated in IT and > network routing. > > I find quite disappointing that the official documentation don't mention > more clearly how to set up the default sys-firewall proxyVM, like if you > are supposed to check either "Deny network access except" or "Allow network > access except" button or if that doesn't matter, if those policies won't > apply anyway because of this pop-up... > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even there. Suppose you have an AppVM in which you want to enforce specific firewall rules. You should go into the VM settings for *that VM*, then the "Firewall rules" tab, then configure your firewall rules there. These firewall rules are then *enforced by* sys-firewall under the hood. Enforcing these rules for other VMs is sys-firewall's raison d'être. By default, there is only one VM with this job: sys-firewall. Therefore, there is no other VM that can perform this job *for* sys-firewall. But that's not a problem, because there's usually no reason to specify firewall rules for sys-firewall itself anyway. (Besides, you're free to create as many ProxyVMs as you like an chain them together.) - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXugDBAAoJENtN07w5UDAwLuQQAIlyBs1aeKEiQH2+W0WrNH5l VTCgtYo+rY3doNjScY95iCZB1e/s2v/RtbDKyXwot6lGFjUoRJTRdK2O78/j/6GS 1ggqrrtoX2KHB77RN3tJm65d2PqgpQM3G9opU8mUp89Ek0MHhjLl3vLMOUeekIXG RGhRwOruLZ3D4WkZDpRpqH3qnnrARDmAM32KOeFUKeDGwl1HPM2H78zlyGHWNEYv SammV42RbOFe3feWUDohCU2V0uMyZcn2jz3HSNfzM1/B/JQ2dvsm3xv4KDCtkZdC Prugken58eEK2T5s38QnN7JBhgHmvS3jB+X4IoN5eM3D8DabbTU78cGK8Z8He4pq kzHae//wxS9vcQ3aWjSbUc/Jz+P32jNHYbBtqRcNxT2p8AWcysaEMEsSvDPT4X6t 89II0Q0aHGX2TGQswKgWHtXuX00Qp7XL2T5mL3EaEXvM/BWMPMnxAEGocVLRbcl5 TO3ewl/LVJEiGiL6hwj66FuNeIVlYkxHJ2ZQ8VM6NYu6TN96fLrbYxyBE3yNmcJj DwVi2rwsTYtnFt4znaBOnNmAIwBNRa9z66Y04KXGcyaq+6i9D66J2Yh3NkuWwKfj /8dBEST20BJB8+8KYX7F1cZt62hVQANYgaGqhFn+x3tMme5FClmK7obvBlMe6gJu 5SGrV5qlobdhla78qT1T =iqUV -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/23c121ec-f227-f51b-991d-1eb38750bb11%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Problem on port forwarding to a VM from the outside world
Any help to configure sys-firewall would be also really appreciated. I got this annoying pop-up when I click on "Firewall rules" tab under the sys-firewall proxyVM settings : "The 'sys-firewall' AppVM is not network connected to a FirewallVM! You may edit the 'sys-firewall' VM firewall rules, but these will not take any effect until you connect it to a working Firewall VM." Only subject related to this problem I found is this message from Unman on Qubes-users group : "When you configure the firewall rules for a vm those rules are applied ON THE FIREWALL to which the vm is attached. So the error message you get is entirely accurate - your firewall is not attached to a firewall and so the rules cannot be applied. Of course you COULD configure a firewall between the fw and the netvm but the same consideration would apply to THAT fw. There's no reason why you cant configure the fw iptables by hand if you want to: you can use /rw/config/qubes-firewall-user-script to have these rules applied automatically." Ok so here's what I understand from this message : this proxyVM Firewall is probably working but rules don't apply because it is attached to a NetVM, which don't have any firewall policies by default. https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says : "Every VM in Qubes is connected to the network via a FirewallVM, which is used to enforce network-level policies. By default there is one default Firewall VM, but the user is free to create more, if needed." And then you got explanations on how to edit rules in a specific VM for a given domain. So I understand you have to edit rules on a AppVM to open up ports there, but I mean not everyone running Qubes OS is highly graduated in IT and network routing. I find quite disappointing that the official documentation don't mention more clearly how to set up the default sys-firewall proxyVM, like if you are supposed to check either "Deny network access except" or "Allow network access except" button or if that doesn't matter, if those policies won't apply anyway because of this pop-up... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7616133c-134c-41e4-99ac-1dc1b5508260%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.