Re: [qubes-users] Re: Amnesic QubesOS
On Tue, Feb 14, 2017 at 9:45 PM, wrote: > There is the option to use a disposable vm for everything if you want? Note that the current implementation of DispVMs does not resist local forensics: - https://www.qubes-os.org/doc/dispvm/#disposable-vms-and-local-forensics - https://github.com/QubesOS/qubes-issues/issues/904 - https://groups.google.com/forum/#!topic/qubes-devel/QwL5PjqPs-4/discussion -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_BDZkVfjASbhqQiZy-TDEdc9FZBMek0vDrPZ5JLMXHJpQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to safely use Wireshark in Qubes?
On 02/14/2017 09:41 PM, raahe...@gmail.com wrote: isn't tcpdump just as vulnerable though if not more? I run things like that in sys-net since i consider it extremely untrusted, but if you have the resources or want only specific streams, sure a separate template or seperate vm i would assume is more secure. Since sys-net is untrusted, try using a proxyVM which should be much safer. At least it'll work for IP traffic. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/393b1269-3777-5608-cc39-983124c94ec6%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes not detecting Spidf audio out
Hi all, I have qubes up and running, no real issues... well... except one. Qubes has detected my normal hardware audio out and my HDMI Audio out but it has not detected my Spidf out. This is a real deal breaker for me as I use an SMSL headphone amp with only one input "Spidf". My MB is a Ausrock 990 fx killer. All other linux distro's including fedora, ubuntu, Arch, Gentoo and puppy Linux can detect it. Is there any way to get this up and running Any tips and or advice would be appreciated. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c6f3bd68-2e7d-42ee-8401-f32a3ca58f3e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] AEM questions
On 02/14/2017 05:50 PM, j...@vfemail.net wrote: hi. since i will be traveling for a bit, my threadmodell changed and i want aem. when reading the documentation, a few questions came up: (in any case, i will use a passphrase for aem.) 1) is there a difference between using an usb drive or using an internal partition? (except of having a second device in case of an usb drive) Yes. You should keep your AEM boot with you on a separate device. If you don't, an attacker could see your secret phrase by booting the system. This is also important if you want AEM to warn you after a /remote/ (non-Evil Maid) attack has affected your BIOS. 2) citing from the aem readme: 'If you've chosen the latter option [using an external boot device], you should then remove the internal boot partition from dom0's /etc/fstab, never mount it again in dom0, and never boot from it again, because an attacker might modify it to exploit GRUB or dom0 filesystem drivers.' what would happen if i lost my external boot device? could i still boot without it? You wouldn't be able to boot immediately. But you could later use a Qubes install disk to re-create a boot partition, or restore a partimage backup of the boot drive, or use a (trusted) live CD to unlock your Qubes drive and backup the VMs before installing Qubes anew. 3) is unhiding my usb devices only required during aem setup? (i guess so, but i thought, i would ask) I think you refer to the option that suppresses USB devices during boot. This should be turned off when booting AEM (not just installing) from a USB stick so the verification sequence can read the secret from the USB stick. However, you can configure a sys-usb VM to run automatically on startup, and this will isolate USB devices from the rest of the system. So... when booting AEM don't leave odd or untrusted devices plugged into your USB ports, because the system may be vulnerable during boot (but after boot you should be protected if sys-usb is running and configured properly). 4) The article from 2011 (http://theinvisiblethings.blogspot.hu/2011/09/anti-evil-maid.html) mentions keyfiles. Is this implemented? (the readme says nothing about it) I don't recall seeing this implemented. There may be some workaround such as specifying the passphrase in the config... see "man crypttab" for details; in that case, the USB stick literally becomes a key to your main drive. Chris -joe -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ad2bbe1d-6d5b-f74b-6e7b-5fb2c9a09dce%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Installation Media Self-Check Confusion
On Monday, February 13, 2017 at 2:26:42 PM UTC-5, bf18...@gmail.com wrote: > On Monday, February 13, 2017 at 1:07:44 PM UTC-6, raah...@gmail.com wrote: > > On Sunday, February 12, 2017 at 7:33:43 PM UTC-5, bf18...@gmail.com wrote: > > > Hello, > > > > > > I have been trying to install R3.2 and even though I have tried burning > > > both usbs and dvds and using different burning programs (including just > > > dd for the usb) it always results in it saying that the .iso is > > > unsupported and the install media is fragmented (20 count with a md5 > > > sum(I can include that if it helps)). The weird part though is that it > > > says it before the media check starts and if I let it finish the check it > > > say's that it passed and will continue to the graphical interface. I also > > > verified it before burning and the files were (reasonably) trust-able. > > > Does anyone have any advice on if it can be trusted in general or have > > > had this happen before? > > > > > > Thanks in-advance for even glancing > > > > what happens when it goes to the graphicsal interface? > > > > have you tried it on diff ports, diff pc? > > > > what mobo? how exactly are you verifying it? > > When it goes to the interface everything seems exactly the same as it used to > for anaconda (I have used qubes before in some of its earlier forms and > release candidates). It even runs a standard install but I'm not sure why it > would continue when it usually refuses if anything faults. > > I've tried two pc's, one using windows and one using deb. > > I've verified with gpg4win and reg gpg with sha251 checks. Mobo is intel > celeron. so on the other two pc's u get the same self check error message? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9b3cc7f4-8b07-45b7-9306-c3ac81ac4f34%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Amnesic QubesOS
On Tuesday, February 14, 2017 at 11:56:21 AM UTC-5, pri aif wrote: > Would this work? > > Install Qubes onto USB Drive then boot up setup all VMs update everything and > power off then plug writeblocker between USB-Drive and USB-Port boot up and > once done turn off and no writing changes to the USB-Drive have been done? > Only ever boot without the write-blocker to install updates preferably from a > different network only ever used for updates. > Could this be a workaround to the last thing Tails is superior in (amnesia)? probably not, don't think its a goal of Qubes-os, this is for normal desktop users. There is the option to use a disposable vm for everything if you want? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4df20460-bd06-480a-afd0-8826857d7012%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to safely use Wireshark in Qubes?
isn't tcpdump just as vulnerable though if not more? I run things like that in sys-net since i consider it extremely untrusted, but if you have the resources or want only specific streams, sure a separate template or seperate vm i would assume is more secure. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/933bdaa4-c7c1-40e3-9285-9bc14d5701f3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] AEM questions
hi. since i will be traveling for a bit, my threadmodell changed and i want aem. when reading the documentation, a few questions came up: (in any case, i will use a passphrase for aem.) 1) is there a difference between using an usb drive or using an internal partition? (except of having a second device in case of an usb drive) 2) citing from the aem readme: 'If you've chosen the latter option [using an external boot device], you should then remove the internal boot partition from dom0's /etc/fstab, never mount it again in dom0, and never boot from it again, because an attacker might modify it to exploit GRUB or dom0 filesystem drivers.' what would happen if i lost my external boot device? could i still boot without it? 3) is unhiding my usb devices only required during aem setup? (i guess so, but i thought, i would ask) 4) The article from 2011 (http://theinvisiblethings.blogspot.hu/2011/09/anti-evil-maid.html) mentions keyfiles. Is this implemented? (the readme says nothing about it) -joe - ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170214165013.Horde.eG6CBeDh3PG1rsUKL2n6-Q7%40www.vfemail.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How install visual studio code on the template Fedora ?
On Tue, Feb 14, 2017 at 01:19:17PM -0800, codeur4l...@gmail.com wrote: > Yes, this is what I try to do. > I have download the .rpm file from my personal VM, then I have copy this file > into the fedora template. The problem is I don't know where is this file now > because in the fedora template I don't have a file manager. > I tried execute 'sudo dnf install .rpm' with the appropriate name in > the fedora template terminal but it don't find the file. > When you copy or move a file to a qube it is placed in ~/QubesIncoming under the name of the source. cd to that directory and you will be able to install the file you have copied across. This is in the docs at www.qubes-os.org/doc/copying-files/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2017021416.GA648%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Make xfce4-netload-plugin display next to netvm icon?
The network monitor plugin displays nicely colorized current network traffic rate on the XFCE panel. I would like to get this displaying the netVM's traffic rate, next to the red netvm in Dom0's panel. However, typically it doesn't run in the "notification area", and I'm not sure how to get it displayed in Dom0 (as the netvm icon is). Can anyone point me in the right direction ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/37CFE930-E72A-44A8-86BC-36A437CF6727%40mail.bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How install visual studio code on the template Fedora ?
Yes, this is what I try to do. I have download the .rpm file from my personal VM, then I have copy this file into the fedora template. The problem is I don't know where is this file now because in the fedora template I don't have a file manager. I tried execute 'sudo dnf install .rpm' with the appropriate name in the fedora template terminal but it don't find the file. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0ec2a20c-71bd-4dba-81bb-e6f683d21186%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How install visual studio code on the template Fedora ?
Le mardi 14 février 2017 21:45:31 UTC+1, Unman a écrit : > On Tue, Feb 14, 2017 at 12:03:01PM -0800, codeur4l...@gmail.com wrote: > > I really need to know how install software. > > It is obscure to me and qubes documentation don't gave me the solution. > > Nobody have idee ? > > > > What is it that you do not understand? The page you reference provides > absolutely explicit instructions. > Is there anything unclear on this page? > www.qubes-os.org/doc/software-update-vm/ > > You should install software in to a templateVM, and then it will be > available in all qubes based on that template. > > So choose your template - Debian or Fedora. > Download the code for the Template you chose , as instructed on that page. > Then copy the downloaded file to your template. > Run the appropriate command(s) in the template. > > Shut down the template. > Start a qube based on the template and check that "code" works. Yes, this is what I try to do. I have download the .rpm file from my personal VM, then I have copy this file into the fedora template. The problem is I don't know where is this file now because in the fedora template I don't have a file manager. I tried execute 'sudo dnf install .rpm' with the appropriate name in the fedora template terminal but it don't find the file. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/65788bc1-b0a9-4662-a285-a910234400cf%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to safely use Wireshark in Qubes?
On Tue, Feb 14, 2017 at 09:39:41AM -0800, turboa...@gmail.com wrote: > Sys-net app or make standalone fedora minimal template? > > Subj. > As you like - I use tcpdump to capture and run wireshark on the captured stream in a network isolated qube, which seems a reasonable approach. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170214205145.GB32465%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How install visual studio code on the template Fedora ?
On Tue, Feb 14, 2017 at 12:03:01PM -0800, codeur4l...@gmail.com wrote: > I really need to know how install software. > It is obscure to me and qubes documentation don't gave me the solution. > Nobody have idee ? > What is it that you do not understand? The page you reference provides absolutely explicit instructions. Is there anything unclear on this page? www.qubes-os.org/doc/software-update-vm/ You should install software in to a templateVM, and then it will be available in all qubes based on that template. So choose your template - Debian or Fedora. Download the code for the Template you chose , as instructed on that page. Then copy the downloaded file to your template. Run the appropriate command(s) in the template. Shut down the template. Start a qube based on the template and check that "code" works. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170214204527.GA32465%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: How install visual studio code on the template Fedora ?
I really need to know how install software. It is obscure to me and qubes documentation don't gave me the solution. Nobody have idee ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/63d89fd3-1910-4420-86f9-b6313df5fc2b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] How to safely use Wireshark in Qubes?
Sys-net app or make standalone fedora minimal template? Subj. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/49f7040c-799c-43fb-9f00-f3f211f4dcb5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] HCL - Lenovo T460s [20FAS0AE00]
Works very well! For NVMe installation you need the workaround from: https://github.com/QubesOS/qubes-issues/issues/2381 With the unstable kernel (current 4.8.12) it works more stable. The DisplayPort has some problem and the system crash regularly on plug in. HDMI works. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/o7vds8%24brs%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout. Qubes-HCL-LENOVO-20FAS0AE00-20170214-180106.yml Description: application/yaml
[qubes-users] Amnesic QubesOS
Would this work? Install Qubes onto USB Drive then boot up setup all VMs update everything and power off then plug writeblocker between USB-Drive and USB-Port boot up and once done turn off and no writing changes to the USB-Drive have been done? Only ever boot without the write-blocker to install updates preferably from a different network only ever used for updates. Could this be a workaround to the last thing Tails is superior in (amnesia)? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/38787039.45587.1487091376314.JavaMail.root%40ichabod. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] trying to remove old template but getting error
On Tuesday, February 14, 2017 at 7:11:19 AM UTC-5, Unman wrote: > On Mon, Feb 13, 2017 at 05:26:07PM -0800, Gaiko wrote: > > On Monday, February 13, 2017 at 8:06:43 PM UTC-5, Unman wrote: > > > On Mon, Feb 13, 2017 at 04:53:24PM -0800, Gaiko wrote: > > > > I installed the fedora24 template using > > > > > > > > sudo qubes-dom0-update qubes-template-fedora-24 > > > > > > > > Then changed all put then went to global settings, changed the default > > > > template, then went into the vm manager and changed the default > > > > template for each of the VMs (its a fresh install so there was jsut > > > > vault, personal, untrusted, and work) but not the sys-net, > > > > sys-firewall, as it had it in my head that was a done deal via global > > > > settings. > > > > > > > > Anyway, then ran > > > > > > > > qvm-create-default-dvm --default-template > > > > > > > > then > > > > > > > > sudo dnf remove qubes-template-fedora-23 > > > > > > > > but with the last command I got an error: > > > > no match for argument: qubes-template-fedora-23 > > > > Error:no packages marked for removal. > > > > > > > > I then looked for other posts and found this > > > > (https://groups.google.com/forum/#!searchin/qubes-users/no$20match$20for$20argument$3A$20qubes-template-fedora-23$20Error$3Ano$20packages$20marked$20for$20removal.%7Csort:relevance/qubes-users/v7Svq_KS5us/Xej8hMQICAAJ) > > > > but there he had mod'd the qubes.xml file and in that file on my comp > > > > I noticed there was not an entry for fedora-24 so I was hesitant to go > > > > any further. > > > > > > > > So, fedora-23 template files are still in > > > > /var/lib/vm-templates/fedora-23 > > > > and fedora-23 is still showing up in the VM Manager (indicating it > > > > needs updates no less). Fedora 24 is also showing up in the VM Manager, > > > > and everything *seems* ok with it except it wasn't in the qubes.xml > > > > file which i wasn't sure about... > > > > > > > > Thoughts? > > > > > > > > > > Try 'sudo dnf list installed |grep template' > > > to check the status with dnf. > > > > > > Also try qvm-remove qubes-template-fedora-23 > > > > Thx for the reply. > > > > Tried both, it seems Fedora23 isn't showing up as being installed. When I > > grep'd the dnf list command the other (including fed24) templates showed up > > but not f23. When I tried > > > > qvm-remove qubes-template-fedora-23 > > > > it told me > > > > A VM with the name qubes-template-fedora-23 does not exist in the system > > > > I thought to take a look in the /var/lib/qubes/vm-templates/fedora23 dir > > and noticed (du -sh) that there is only 22M of stuff there... so I guess > > the main files (sorry I don't know the exact files but I figure it would be > > bigger if f23 was still there) aren't there... but the VM manager thinks > > F23 is, and the qubes.xml is still something I am not sure about. > > > > further thoughts? > > > > Look at www.qubes-os.org/doc/remove-vm-manually that got it thanx! (i guess the qubes.xml is a non issue?) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/26be9e37-219f-419f-9eb1-74fa51e85bd7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] trying to remove old template but getting error
On Mon, Feb 13, 2017 at 05:26:07PM -0800, Gaiko wrote: > On Monday, February 13, 2017 at 8:06:43 PM UTC-5, Unman wrote: > > On Mon, Feb 13, 2017 at 04:53:24PM -0800, Gaiko wrote: > > > I installed the fedora24 template using > > > > > > sudo qubes-dom0-update qubes-template-fedora-24 > > > > > > Then changed all put then went to global settings, changed the default > > > template, then went into the vm manager and changed the default template > > > for each of the VMs (its a fresh install so there was jsut vault, > > > personal, untrusted, and work) but not the sys-net, sys-firewall, as it > > > had it in my head that was a done deal via global settings. > > > > > > Anyway, then ran > > > > > > qvm-create-default-dvm --default-template > > > > > > then > > > > > > sudo dnf remove qubes-template-fedora-23 > > > > > > but with the last command I got an error: > > > no match for argument: qubes-template-fedora-23 > > > Error:no packages marked for removal. > > > > > > I then looked for other posts and found this > > > (https://groups.google.com/forum/#!searchin/qubes-users/no$20match$20for$20argument$3A$20qubes-template-fedora-23$20Error$3Ano$20packages$20marked$20for$20removal.%7Csort:relevance/qubes-users/v7Svq_KS5us/Xej8hMQICAAJ) > > > but there he had mod'd the qubes.xml file and in that file on my comp I > > > noticed there was not an entry for fedora-24 so I was hesitant to go any > > > further. > > > > > > So, fedora-23 template files are still in /var/lib/vm-templates/fedora-23 > > > and fedora-23 is still showing up in the VM Manager (indicating it needs > > > updates no less). Fedora 24 is also showing up in the VM Manager, and > > > everything *seems* ok with it except it wasn't in the qubes.xml file > > > which i wasn't sure about... > > > > > > Thoughts? > > > > > > > Try 'sudo dnf list installed |grep template' > > to check the status with dnf. > > > > Also try qvm-remove qubes-template-fedora-23 > > Thx for the reply. > > Tried both, it seems Fedora23 isn't showing up as being installed. When I > grep'd the dnf list command the other (including fed24) templates showed up > but not f23. When I tried > > qvm-remove qubes-template-fedora-23 > > it told me > > A VM with the name qubes-template-fedora-23 does not exist in the system > > I thought to take a look in the /var/lib/qubes/vm-templates/fedora23 dir and > noticed (du -sh) that there is only 22M of stuff there... so I guess the main > files (sorry I don't know the exact files but I figure it would be bigger if > f23 was still there) aren't there... but the VM manager thinks F23 is, and > the qubes.xml is still something I am not sure about. > > further thoughts? > Look at www.qubes-os.org/doc/remove-vm-manually -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170214121118.GA30352%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Ad-blocking ProxyVM?
On Monday, February 13, 2017 at 9:35:52 PM UTC-5, Joe Ruether wrote: > Ok, I need to simplify this. I need help, I don't know what I am missing. Is > anyone able to recreate the following netcat test? > > I cannot seem to get the DNAT portion of the iptables to work at all. Here is > a very simple test: > > On the proxyvm, I use the following rules to redirect port 5353 to localhost, > and allow the connection: > > iptables -t nat -I PR-QBS 1 -d 10.137.4.1 -p tcp --dport 5353 -j DNAT > --to-destination 127.0.0.1 > iptables -I INPUT 1 -p tcp --dport 5353 -j ACCEPT > > Then, on the proxyvm, I run the following command to listen on that port (no > other service is running on that port): > > nc -l -p 5353 > > Finally, on the AppVM, I run the following command: > > nc 10.137.4.1 5353 > > My expectation is that the two netcats will connect, however they don't. What > do I need to do to get my AppVM to talk to my ProxyVM? Thanks Well, I feel like a fool, I finally figured it out. I realized the DNAT rules aren't necessary at all, so all I needed was this: iptables -I INPUT 1 -p tcp --dport 5353 -j ACCEPT Of course I overcomplicated such a simple problem... I learned a bunch about iptables though. I also have the PiHole adblocker working now. In case anyone stumbles onto this thread trying to do the same thing, the final trick was to add the Qubes vif interfaces to a dnsmasq config file to it would listen on them. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fb192195-af69-4793-b4a2-1f787af2ddbc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] configuration files for distribution via salt
hi. when configuring minions with salt, you sometimes need some config files (e.g. wifi config stored in /rw/config/NM-system-connections/, ssh credentials, etc). you have to get this data from somewhere and distribute it via salt. there are multiple possibilities: 1) creating some config-vm (it is highly trusted). this vm stores the files. now you can do either of these. 1.1) salt now uses some custom command (it is not that hard to write) to copy the files from config-vm to the target-vm. this happens during dom0 config. 1.2) you add some service that allows the target-vm to receive the files from your config-vm. once target-vm is started and it noticed it needs config files, it can request them (you can restrict the access via a policy so target-vm can only access the files it is supposed to) 2) store the data in dom0 2.1) store the data as files and distribute them via file.managed / file.recurse 2.2) store the data as pillar and distribute them via salt pros/cons 1) - you have an extra vm. + all data flow / attack surfaces are clear 1.1) - you need the command (not that bad) - it happens during dom0 config and not when the vm is configured (not that bad, but i don't like it) 1.2) - you need to add the service (not that bad) - you now also need to manage the service policy files (now you have the configuration for target-vm in config-vm, the sls files and policy files) - how does target-vm know when the config files are changed? 2) - you copy data INTO DOM0! + no extra vm 2.1) + you configure the vm during its own salt configuration phase + requires no additional stuff (only salt and a folder containing the files) - THE DATA IS COPIED TO EVERY MANAGEMENT VM! (maybe you can somehow prevent this, but i don't think this is currently possible.) 2.2) - pillars are not really able to handle files / directory trees (you could paste the file content of some file into a pillar variable and write it to a file using salt (works not well for non text files)) + pillars are supposed to be the place where you store (sensitive) minion specific configuration + the data is only available in the specific minion ? i don't know whether all pillar data is copied to the management vm (but i guess so) in both cases (1 and 2) you may end up copying some data from a less trusted vm to a more trusted domain, since you need to populate the initial config data (maybe your config data includes some certificate used by your vpn provider). this is something you are not supposed to do, but if you never use (execute/view/change...) the data in the higher trusted domain, everything should be fine (please correct me if i am wrong). in this case it should not be to bad to store the data in dom0. my preferred option would be 2.1 if we could fix the problem of all data being copied to each management vm. how big the problem is, depends on the attack surface exposed by the management vm to the target-vm (does anyone know this?). also this could be fixed by not copying all data to the management vm (is this even done?). this would probably require some modification of the qubesctl tool. so my questions would be: a) do you have other ideas on how to distribute config files? b) how do you solve this problem? c) what do you think is the best method to distribute the files? d) are there any other problems/advantages of some approach i did not mention? e) what is the attack surface exposed by the management vm to the target-vm? f) does qubesctl always copy all files/pillars to the management-vm and what would we need to do to change this? (also how would we decide what files are copied to the management-vm (since we don't want to render the files using minion data in dom0) g) is there some security risk of copying files from a less trusted vm to a more trusted domain if the files are never used (are only copied/stored)? - John -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b8f11bd1-76f3-02a2-3c2e-fd3db53ba785%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] HCL - 20H2S00700
This device is an i7 Lenovo E470. Intel graphics card needs newer kernel (from unstable repo)... GeForce graphics not supported by noveau, yet. Official NVIDIA driver fails with memory allocation error under Xen; see also https://devtalk.nvidia.com/default/topic/691565/linux/geforce-driver-problem-on-centos-6-4-with-xen-installed (even with IGNORE_XEN_PRESENCE-flag set etc.) Installation only possible with VNC as text installation mode doesn't prompt for encryption password. Sleep mode sometimes freezes the device. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9fab2a84-5b7c-3635-ac0c-6cd04924c1a3%40ironai.com. For more options, visit https://groups.google.com/d/optout. Qubes-HCL-LENOVO-20H2S00700-20170214-113042.yml Description: application/yaml
Re: [qubes-users] NetVM without firewall, no PING from outside?
> Unman: > > I suggest you read the docs: > > www.qubes-os.org/doc/firewall has a section on allowing traffic in to > > qubes. > > Thank you for the link. It provided a good foundation. > > > But this may not be what you want. It reads as if you want to have > > sys-net operating as a router. You can do this quite simply by changing > > the iptables configuration and using proxy arp to make sure that the > > external network sees the qubes behind the router. > > Alternatively you could use the netvm as a gateway to the network of > > qubes, and make sure that THAT route is propagated on your internal > > network. > > Thank you, it seems like using proxy arp is the way to go for me. That way I > can still use a dynamic address for my NetVM. I'm getting back to this thread, still haven't got everything working: My NetVM is connected to a local network 10.0.0.0/16, and gets a dynamic IP via DHCP. AppVMs connect directly to the NetVM, without any firewall, and all firewall rules has been removed from NetVM. All networking is now working fine, both between AppVMs and from AppVMs and into the 10.0.0.0/16 network. Now I need to have the AppVMs available from the 10.0.0.0/16 network... Where do I need to enable arp_proxy to make this happen? Only on the NetVM interface connected to the 10.0.0.0/16 network, or also on the vif interfaces on the NetVM, or in the AppVMs also?? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/382450c2-11c6-40dc-9bea-03840335c104%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
