[qubes-users] Re: anyone else get hit by google's auto-deleting qubes users mail responses the moment they are send?
On Monday, March 12, 2018 at 5:16:28 AM UTC+1, sevas wrote: > actually... maybe I did. I made a reply to the KDE/Template sec discussion > and it was gone. maybe it'll help if we say we love google? Joke aside... it's very frustrating. but at least we got a topic on it now, so if others see it, they know they're not alone. Exiting moment to see if this message will disappear too or not... I mean, maybe we can outsmart it by having love and google in the same sentence (sarcasm). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/71738233-40cf-47f1-9e76-20e315169b16%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Custom resolutions-xrandr
Did that solve the black bar issue? Also I'm the so called average user so I would need a small step by step guide cause this looks super confusing. Thanks an advance -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a2fe3409-858c-40ee-a074-d253119df535%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] whonix won't connect to the net
So i have network, but whenever I try and connect to the net it fails when routed to wbonix. I'm running qubes 4.0 rc5 but it won't even allow me to download all the updates. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ac329107-177a-4c8a-a93f-08d89773f301%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: anyone else get hit by google's auto-deleting qubes users mail responses the moment they are send?
actually... maybe I did. I made a reply to the KDE/Template sec discussion and it was gone. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/07ab9091-2c93-44e9-89bc-1edcb698540c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: anyone else get hit by google's auto-deleting qubes users mail responses the moment they are send?
I have not experienced this and you may be right, it wouldnt suprise me from them these days. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ef30591b-62f2-4528-bd5c-f042d6a059a3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Custom resolutions-xrandr
> If im trying to create a custom resolution that I can auctually see on my > 3200x1800 how do I get rid of the black area and make the resolution full > screen? I tried adding xrandr --output eDP-1 set "scaling mode" "full aspect" > and nothing is happening.I allready made a resolution of 1800x1400, but > instead of going full it just shrinks the display to fit into a box. This worked for me on Dell XPS 13 (9360) with 3200x1800 screen: https://askubuntu.com/a/377944. My normal setup though is increasing fonts in dom0 XFCE; and in VM's Xft.dpi=216, GDK_SCALE=2, GDK_DPI_SCALE=0.5. There is QT5 scaling option too. See https://wiki.archlinux.org/index.php/HiDPI#X_Resources -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/E8Wn6ifqjqJLN3DmOucXBoZirPO57z8339l9Wz94_BWz7D95RrTJPkqIExLeIAx7RA0FC8uK2Qhqcy-_6EQlDikN6eMXuMBQSfU7aS7ZFdE%3D%40zhuk.online. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] DNS propagation in Qubes
On 03/11/2018 10:03 AM, David Hobach wrote: On 03/11/2018 11:21 AM, Chris Laprise wrote: ...and for now omitted the '-d' destination part in iptables. Then if I issue: sudo iptables -t nat -F PR-QBS sudo iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $eth0_address sudo iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $eth0_address it appears to work from a downstream appVM. But I haven't checked yet to see if its really using the dnscrypt proxy; even if it is, the config may need to be adjusted for better security. I just tested that one (my implementation was also doing pretty much exactly that + a local INPUT chain firewall so it was a 5 min test removing the INPUT firewall): Since you'll need something like -I INPUT -p udp -m udp --dport 53 -j ACCEPT -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT I used this, which is Alex's example without '-d': iptables -I INPUT 3 -j ACCEPT -p udp --sport 1024:65535 --dport 53 -m conntrack --ctstate NEW it makes DNS accessible for all downstream VMs regardless of the qubes-firewall settings, i.e. apprently the nft FORWARD rules are not applied for DNAT to localhost. That's probably why I had opened that github issue & implemented a local firewall back then... You can verify my findings by using the dom0 qvm-firewall command line to revoke DNS access for a downstream VM & then use e.g. dig in that VM. The qubes-vm-settings GUI won't work as in 4.0 DNS & ICMP is always allowed. So yes, if one is aware of that issue, one can certainly use it the way you described. If you rely on the qubes-firewall to work as expected, you shouldn't use it. Thanks for the specific caveat. Qubes 3.2 firewall had a dns incompatibility when you configured a tunnel such as openvpn. I was able to fix that problem (pretty seamlessly) with sed :) . -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a802b5cd-0b42-c548-716b-3eaf3519f17d%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes won't boot 'kernel panic', where is AppVm data?
On Sun, March 11, 2018 10:03 pm, ale10203...@gmail.com wrote: > Hello, I am currently locked out of my qubes system because of a "kernel > panic" error I encounter when I boot the system, after the grub screen. I > don't really know what to do. The only thing I did before this to happen > is to try to install AEM (without success), it may be the reason for > this. Is there any fix to this? Haven't tried AEM, unfortunately. > I still have my qubes installation media, > I can run the troubleshooting mode. I have qubes R4-rc4. > I am also searching for the place to search for my appvms data so I can > backup them and then re-install qubes (I use qubes for some months now), > I can't find the appvm data anywhere... thanks for your answers ! Qubes R4.0 uses LVM instead of files- each disk in each AppVM is a separate LVM logical partition. Short version is you mount the decrypted disk, then you scan it for LVM partitions, and then mount the filesystem inside the LVM partition you want to recover. Have only done it once or twice, can't remember exact commands, but search for something like LUKS LVM rescue. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/19e47a061ac3f1be0da0883c24d3a355.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: FYI: Kernel Hardening; a discussion (2018)
On Sun, March 11, 2018 5:49 pm, sevas wrote: > I did not mean to go so far south with the above statements. So heres my > additions for alternatives... > > CopperheadOS is doing a project still early in the making on reawakening > the open source kernel hardening. The GitHub page can be found here: > https://github.com/copperhead/linux-hardened/issues > > > ...which are limited. I agree, it's disappointing grsecurity couldn't figure out a better way to handle that. You might find this interesting, though: http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aab399088b8ba801a475147db625f619.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dependency error building Qubes
On Sun, March 11, 2018 9:22 pm, rucksack.peter via qubes-users wrote: > I'm trying to build a Qubes ISO on a Fedora 26 System, following the > instructions of the documentation page "Building Qubes OS ISO", and get > this error message: > > make[1]: Entering directory '/home/xy/qubes-builder' > sudo chroot /home/xy/qubes-builder/chroot-fc25 dnf install -y > gcc-6.4.1-1.qubes1.fc25.x86_64 libgcc.x86_64 Qubes OS Builder Repository > 251 kB/s | 257 B 00:00 > No package gcc-6.4.1-1.qubes1.fc25.x86_64 available. > Package libgcc-6.4.1-1.fc25.x86_64 is already installed, skipping. > Error: Unable to find a match. > make[1]: *** [qubes-src/vmm-xen/Makefile.builder:27: > workaround-gcc-upgrade-fc25] Error 1 make[1]: Leaving directory > '/home/xy/qubes-builder' > make: *** [Makefile:224: vmm-xen-dom0] Error 1 > > > How can I fix this? I hit that too but didn't have time to dig in to it. The "qubes1" in the filename doesn't look quite right, I'd expect just "qubes" but maybe it's some other issue. If you want to fix it, look at the build-logs and build script and try to figure out where that is coming from? It's possible it's already fixed in Marek's repo but hasn't yet made it to master, so you might want to check recent commits there too. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/893d9fc003f53c6f2cb357a16ce4fc7a.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
[qubes-users] anyone else get hit by google's auto-deleting qubes users mail responses the moment they are send?
As the title suggests, the very moment sending mail responses, it changes and turns into a deleted message. This has now happened twice in a row. So this is a heads-up for google's new level of censorship craziness. Though I have to wonder why it only hits some people, maybe it's because of certain Tor nodes out there.. Case of point, double deletes https://groups.google.com/forum/#!topic/qubes-users/b84gHvES2Bc I have to wonder if creating a new mail topic will be deleted too, if so, then at least some of you will read it. Given the above double accident twice in a row, and also the increased number of deleted messages here and there lately, it seems like google's auto-delete bot system is going overboard on its censorship. No harmful content was included, just a normal message like any other. - Yu -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/78f41063-d548-4dd1-abb8-37617a6fe3e4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes won't boot "kernel panic", where is AppVm data?
Hello, I am currently locked out of my qubes system because of a "kernel panic" error I encounter when I boot the system, after the grub screen. I don't really know what to do. The only thing I did before this to happen is to try to install AEM (without success), it may be the reason for this. Is there any fix to this? I still have my qubes installation media, I can run the troubleshooting mode. I have qubes R4-rc4. I am also searching for the place to search for my appvms data so I can backup them and then re-install qubes (I use qubes for some months now), I can't find the appvm data anywhere... thanks for your answers ! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bf7e1461-8946-416b-a9e3-cda06a93a3f8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Want to use qubes. Will my pc be compatible?
Hello, Am 11.03.2018 10:27 nachm. schrieb "konngammre": So recently I found out about qubes-whonix and really want to try it out for myself but, I have a new pc and was wondering if it will work. Also if I have qubes on one drive and windows one another and the qubes drive is encrypted does the windows drive compromise security of qubes? I highly suggest to read or at least take a quick look over the excellent Qubes documentation at https://www.qubes-os.org/doc/ Specifically: https://www.qubes-os.org/faq/#is-there-a-list-of-hardware-that-is-compatible-with-qubes-os ... and ... https://www.qubes-os.org/faq/#can-i-install-qubes-os-together-with-other-operating-system-dual-bootmulti-boot Questions from me: 1) what is your level of Linux expertise? 2) which applications are you running inside windows? You could run Windows as HVM within Qubes to minimize the need to boot up windows. This is also a good migration way to find out which apps you need in Qubes to replace existing windows apps. [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2to1e4TpCjGoGOCyLNunaVRzmXN6EoQoTPZ70K5UTyHMw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Want to use qubes. Will my pc be compatible?
So recently I found out about qubes-whonix and really want to try it out for myself but, I have a new pc and was wondering if it will work. Also if I have qubes on one drive and windows one another and the qubes drive is encrypted does the windows drive compromise security of qubes? gpu-Gtx 1060 cpu-ryzen 5 1600x mobo-b350-f 12gb of ram -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/340cf6d5-3a3d-4918-8ab6-b90c739314a0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Will qubes work with this pc?
So i recently got a pc and then learned about qubes-whonix and was wondering if it will work with my pc. Also If I have a encrypted qubes drive and a windows drive can the windows drive compromise qubes? gpu-gtx 1060 cpu-ryzen 5 1600x mobo-b350-f 12 gb of ram -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fef2381e-ec5a-467f-b52b-5b9c843e92b7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Dependency error building Qubes
I'm trying to build a Qubes ISO on a Fedora 26 System, following the instructions of the documentation page "Building Qubes OS ISO", and get this error message: make[1]: Entering directory '/home/xy/qubes-builder' sudo chroot /home/xy/qubes-builder/chroot-fc25 dnf install -y gcc-6.4.1-1.qubes1.fc25.x86_64 libgcc.x86_64 Qubes OS Builder Repository 251 kB/s | 257 B 00:00 No package gcc-6.4.1-1.qubes1.fc25.x86_64 available. Package libgcc-6.4.1-1.fc25.x86_64 is already installed, skipping. Error: Unable to find a match. make[1]: *** [qubes-src/vmm-xen/Makefile.builder:27: workaround-gcc-upgrade-fc25] Error 1 make[1]: Leaving directory '/home/xy/qubes-builder' make: *** [Makefile:224: vmm-xen-dom0] Error 1 How can I fix this? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e18e84d3-3aeb-4c20-8fef-4a06d92fc356%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: FYI: Kernel Hardening; a discussion (2018)
I don't see the issue with the pax devs being anonymous as then it is much more difficult for someone to put political pressure on them to demand they insert a backdoor or approve some type of undesired change - ex: why do you think almost every linux distro switched to systemd overnight? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d9f4c095-3959-f3f1-2aef-9bca823c7aa6%40gmx.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: FYI: Kernel Hardening; a discussion (2018)
I did not mean to go so far south with the above statements. So heres my additions for alternatives... CopperheadOS is doing a project still early in the making on reawakening the open source kernel hardening. The GitHub page can be found here: https://github.com/copperhead/linux-hardened/issues ...which are limited. If anyone has any information on the ColdHak.ca kernel hardening project, please let me know. I have sent messages to two of the ColdHak members and am awaiting response. My question is about what features to expect in their project. As their website has no information on what it actually does. As well, the last and only update was from a little over a year ago, it does not appear as if they are still working on this. Update: One of the members of the ColdHak Team has reached out to me. What was not understood was that the ColdHak Project was an automated tool for building GrSec. The project was killed when GrSec closed the doors to open source developing, as mentioned above. above. There does not appear to be any active design for those who wish to change the -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aa009611-3d13-40d3-9c18-d4ba54f625dc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to install qubes-windows-tools under Qubes 4rc5
On Sunday, March 11, 2018 at 1:53:32 PM UTC+1, Ivan Mitev wrote: > On 03/11/2018 01:50 PM, 799 wrote: > > Hello, > > > > I'm trying to install windows on my new Qubes 4rc5 installation. > > It seems that Qubes.Windows-Tools (QWT) are not available in the Qubes > > 4-repositories. > > > > qubes-dom0-update --enablerepo=qubes-dom0-current-testing > > qubes-windows-tools > > [...] > > Error: Unable to find a match > > > > After some trial and error I found a way, is there another way to > > accomplish easier? > > If not I would add this to the docs. > > It's already a work in progress ; check this issue: > > https://github.com/QubesOS/qubes-issues/issues/3585 > > BTW that's exactly the kind of main issue that ought to be listed in the > qubes community project: not ready for official inclusion in qubes-doc, > but helpful to probably many users. > > > > > > 1) Go to the rpm-repository from Qubes 3.2 > > https://ftp.qubes-os.org/repo/yum/r3.2/current-testing/dom0/fc23/rpm/ > > > > 2) Download qubes-windows-tools-3.2.2-3.x86_64.rpm in an > > > > https://ftp.qubes-os.org/repo/yum/r3.2/current-testing/dom0/fc23/rpm/qubes-windows-tools-3.2.2-3.x86_64.rpm > > > > 3) move the rpm file to dom0, run in dom0 > > qvm-run --pass-io 'cat > > /home/user/Download/qubes-windows-tools-3.2.2-3.x86_64.rpm' > > > qubes-windows-tools-3.2.2-3.x86_64.rpm > > > > 4) Verify rpm package > > rpm -K qubes-windows-tools-3.2.2-3.x86_64.rpm > > it would be better to verify the signature i the AppVM, but you need to > > import the Qubes Signing Key to do so, I was lazy and was fine with moving > > the rpm-file to dom0 and verify the signature there. > > > > 5) Install rpm-package > > rpm -ivh qubes-windows-tools-3.2.2-3.x86_64.rpm > > > > 6) the Qubes Windows Tools ISO will be located at > > /usr/lib/qubes/qubes-windows-tools.iso > >this will be a link to the latest version installed, thereof to: > >/usr/lib/qubes/ubes-windows-tools-3.2.2.3.iso in this case > > > > [799] > > That's a good point, I'll try see if I can promote your github post on Qubes Community to help increase awareness of it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/056fc3d2-ae8a-4306-9ac4-e00f46e6ab96%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes OS 4.0-rc5 has been released!
On Sunday, March 11, 2018 at 6:30:58 PM UTC+1, Dave wrote: > I just used System Tools, Qubes Manager UPDATE (down arrow) for DOM0 and each > template without keying terminal commands. It appears to have worked, so I > assume that RC4 already included testing repo yeah, if it's anything like it was back in Qubes 3.2. (I'd assume so), then these updates in the Qube Manager are stable updates. Once current-testing updates are deemed tested and stable after testers tried them out, they eventually migrate to stable repository. That's when you see them in the Qube Manager (or via normal update commands, not the current-testing ones). So I assume they must have been moved from testing to stable now? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7211e67e-4483-43f8-a238-6d705749d47f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: FYI: Kernel Hardening; a discussion (2018)
I did not mean to go so far south with the above statements. So heres my additions for alternatives... CopperheadOS is doing a project still early in the making on reawakening the open source kernel hardening. The GitHub page can be found here: https://github.com/copperhead/linux-hardened/issues ...which are limited. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4f52c48d-2c51-420c-a7c9-9ec723de270e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes OS 4.0-rc5 has been released!
I just used System Tools, Qubes Manager UPDATE (down arrow) for DOM0 and each template without keying terminal commands. It appears to have worked, so I assume that RC4 already included testing repo -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9349ad32-5fda-463e-aeb9-df86463f6c73%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] sys-usb issue
Thanks, I'll look into it. On Sun, Mar 11, 2018 at 11:04 awokdwrote: > On Sun, March 11, 2018 2:53 pm, Travis Dean wrote: > > I set up a usb qube, I have all usb controllers assigned to it. It is > > based on Fedora 26. I am on Qubes OS 4 rc5. When I shutdown the Debian 9 > > TemplateVM all usb devices disappear from the list of attched devices. I > > then have to restart sys-usb. > > > > I've tested to see if it does it with any other TemplateVMs and it does > > not, only Debian 9. > > There was a similar thread over on qubes-devel. Don't know if an issue got > created. > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAH5yx2icchiZAYHWoCz3qwMWKdQAZQ-D35Bu5Vh_Y6fXPTTS%3DA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] sys-usb issue
On Sun, March 11, 2018 2:53 pm, Travis Dean wrote: > I set up a usb qube, I have all usb controllers assigned to it. It is > based on Fedora 26. I am on Qubes OS 4 rc5. When I shutdown the Debian 9 > TemplateVM all usb devices disappear from the list of attched devices. I > then have to restart sys-usb. > > I've tested to see if it does it with any other TemplateVMs and it does > not, only Debian 9. There was a similar thread over on qubes-devel. Don't know if an issue got created. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8aff1c641727aa3679da0b0106870345.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
[qubes-users] sys-usb issue
I set up a usb qube, I have all usb controllers assigned to it. It is based on Fedora 26. I am on Qubes OS 4 rc5. When I shutdown the Debian 9 TemplateVM all usb devices disappear from the list of attched devices. I then have to restart sys-usb. I've tested to see if it does it with any other TemplateVMs and it does not, only Debian 9. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAH5yx2jsKvtjiP0LV0iKv5E45rLtho6xxPu_FyS2h7rP%2BqzFjQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Networking doesn't work in Qubes 4.0-rc5
I've been using R4-rc2 for some months and I've just installed the R4-rc5 version, but it's giving me hard times. During the installation it complains about Vt-d and Interrupt Remapping feautures missing and sys-usb didn't work at the beginning, but after I switched to PV mode it works fine, I can connect to my WiFi and sys-net can reach the internet. The point is any other qube, sys-firewall included, can't reach the internet. - I've tried to analyze the traffic with wireshark and it seems that the DNS requests reach sys-net, but no answer is received, while in sys-net everything seems fine (`dig` works). - I've tried to ping sys-firewall and send some packets from sys-net with the Python socket and the packets reach sys-firewall but the `recv()` function stucks in a death loop as nothing is received, so I think somewhere the packets are dropped. - I've tried to clear all iptables chains, but nothing changed. Everything worked in rc1, rc2 and I think also rc3 (I can't remember the last update - current-testing repo), so I really can't figure out what I'm missing. Some major changes concerning networking were introduced in rc5? Anyone is experiencing the same problem? Any suggestions? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fd89ecb3-6762-4a68-88bf-97f3f864b0d9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] DNS propagation in Qubes
On 03/11/2018 03:03 PM, David Hobach wrote: So yes, if one is aware of that issue, one can certainly use it the way you described. If you rely on the qubes-firewall to work as expected, you shouldn't use it. P.S.: An alternative might be to setup the local DNS service in a VM closer to the Internet, i.e. not in the proxy VM which also implements the qubes firewall. Something like Internet <-- sys-net <-- sys-firewall <-- DNS server VM <-- proxy VM with qubes-fw <-- client VM I didn't test that though. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ec054435-0c3c-9517-f02f-f9c2c50c19a8%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature
Re: [qubes-users] DNS propagation in Qubes
On 03/11/2018 11:21 AM, Chris Laprise wrote: ...and for now omitted the '-d' destination part in iptables. Then if I issue: sudo iptables -t nat -F PR-QBS sudo iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $eth0_address sudo iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $eth0_address it appears to work from a downstream appVM. But I haven't checked yet to see if its really using the dnscrypt proxy; even if it is, the config may need to be adjusted for better security. I just tested that one (my implementation was also doing pretty much exactly that + a local INPUT chain firewall so it was a 5 min test removing the INPUT firewall): Since you'll need something like -I INPUT -p udp -m udp --dport 53 -j ACCEPT -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT it makes DNS accessible for all downstream VMs regardless of the qubes-firewall settings, i.e. apprently the nft FORWARD rules are not applied for DNAT to localhost. That's probably why I had opened that github issue & implemented a local firewall back then... You can verify my findings by using the dom0 qvm-firewall command line to revoke DNS access for a downstream VM & then use e.g. dig in that VM. The qubes-vm-settings GUI won't work as in 4.0 DNS & ICMP is always allowed. So yes, if one is aware of that issue, one can certainly use it the way you described. If you rely on the qubes-firewall to work as expected, you shouldn't use it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba33e227-187d-4945-6b51-d1ef0093d21a%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature
Re: [qubes-users] bash autocomplete
On Sun, Mar 11, 2018 at 02:11:02PM +0100, haaber wrote: > I don't know what this 3D-thing, is I'll learn it. I have, in the > meanwhile, tested the attached file, that distinguishes also running, > paused and halted VM's. For the moment this is completely sufficient for > me. Maybe I'll add the completion "root" when I complete "qvm-run -u", > since this is what I need for updating sudo-less minimal templates :) > > I put the file it in /etc/bash_completion.d/ within dom0, and source it > in .bashrc. awesome, thanks for sharing (again)! :) -- cheers, Holger -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180311135227.llfhwe6ezwso324z%40layer-acht.org. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
Re: [qubes-users] bash autocomplete
Thank you Holger, I don't know what this 3D-thing, is I'll learn it. I have, in the meanwhile, tested the attached file, that distinguishes also running, paused and halted VM's. For the moment this is completely sufficient for me. Maybe I'll add the completion "root" when I complete "qvm-run -u", since this is what I need for updating sudo-less minimal templates :) I put the file it in /etc/bash_completion.d/ within dom0, and source it in .bashrc. Bernhard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b99595c0-2cda-a92e-b0b1-e36bd827c33e%40web.de. For more options, visit https://groups.google.com/d/optout. #!/bin/bash _qvmall() { local cur VMS COMPREPLY=() cur="${COMP_WORDS[COMP_CWORD]}" VMS=$(qvm-ls --raw-list) COMPREPLY=( $(compgen -W "${VMS}" ${cur}) ) return 0 } _qvmrunning() { local cur VMS COMPREPLY=() cur="${COMP_WORDS[COMP_CWORD]}" VMS=$(qvm-ls --raw-data|grep -i running|cut -f1 -d"|") COMPREPLY=( $(compgen -W "${VMS}" ${cur}) ) return 0 } _qvmhalted() { local cur VMS COMPREPLY=() cur="${COMP_WORDS[COMP_CWORD]}" VMS=$(qvm-ls --raw-data|grep -i halted|cut -f1 -d"|") COMPREPLY=( $(compgen -W "${VMS}" ${cur}) ) return 0 } _qvmpaused() { local cur VMS COMPREPLY=() cur="${COMP_WORDS[COMP_CWORD]}" VMS=$(qvm-ls --raw-data|grep -i paused|cut -f1 -d"|") COMPREPLY=( $(compgen -W "${VMS}" ${cur}) ) return 0 } complete -F _qvmall qvm-appmenus complete -F _qvmall qvm-clone complete -F _qvmall qvm-firewall complete -F _qvmall qvm-move-to-vm complete -F _qvmall qvm-remove complete -F _qvmall qvm-start-gui complete -F _qvmpaused qvm-unpause complete -F _qvmall qvm-backup complete -F _qvmall qvm-copy-to-vm complete -F _qvmrunning qvm-pause complete -F _qvmall qvm-run complete -F _qvmall qvm-usb complete -F _qvmhall qvm-backup-restore complete -F _qvmall qvm-service complete -F _qvmrunning qvm-kill complete -F _qvmrunning qvm-shutdown complete -F _qvmall qvm-tags complete -F _qvmall qvm-check complete -F _qvmall qvm-features complete -F _qvmall qvm-prefs complete -F _qvmhalted qvm-start
Re: [qubes-users] bash autocomplete
On Fri, Mar 02, 2018 at 07:10:22PM +, Holger Levsen wrote: > On Tue, Feb 27, 2018 at 03:23:50PM +0100, haaber wrote: > > to have the shell behave nicer. If I have some free time, I might > > customize this stub to suggest available options to all qvm-* and > > qubes-* commands. I am surprised that I might be the first one to > > discuss this subject (?!) Bernhard > i'm definitly interested in this, this is super useful. so thanks, Unman and haaber, I now have this as my .bashrc and it works nicely: # .bashrc # Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi # Uncomment the following line if you don't like systemctl's auto-paging feature: # export SYSTEMD_PAGER= # User specific aliases and functions _qvm() { local cur COMPREPLY=() cur="${COMP_WORDS[COMP_CWORD]}" VMS=`qvm-ls --raw-list` COMPREPLY=( $(compgen -W "${VMS}" -- ${cur}) ) } complete -F _qvm qvm-appmenus complete -F _qvm qvm-clone complete -F _qvm qvm-firewall complete -F _qvm qvm-move-to-vm complete -F _qvm qvm-remove complete -F _qvm qvm-start-gui complete -F _qvm qvm-unpause complete -F _qvm qvm-backup complete -F _qvm qvm-copy-to-vm complete -F _qvm qvm-pause complete -F _qvm qvm-run complete -F _qvm qvm-usb complete -F _qvm qvm-backup-restore complete -F _qvm qvm-service complete -F _qvm qvm-kill complete -F _qvm qvm-shutdown complete -F _qvm qvm-tags complete -F _qvm qvm-check complete -F _qvm qvm-features complete -F _qvm qvm-prefs complete -F _qvm qvm-start complete -F _qvm qm For your convinience I've also attached this file. (you might want to comment out the last line...) -- cheers, Holger -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180311125641.p5s4bfgqbhfyowlg%40layer-acht.org. For more options, visit https://groups.google.com/d/optout. # .bashrc # Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi # Uncomment the following line if you don't like systemctl's auto-paging feature: # export SYSTEMD_PAGER= # User specific aliases and functions _qvm() { local cur COMPREPLY=() cur="${COMP_WORDS[COMP_CWORD]}" VMS=`qvm-ls --raw-list` COMPREPLY=( $(compgen -W "${VMS}" -- ${cur}) ) } complete -F _qvm qvm-appmenus complete -F _qvm qvm-clone complete -F _qvm qvm-firewall complete -F _qvm qvm-move-to-vm complete -F _qvm qvm-remove complete -F _qvm qvm-start-gui complete -F _qvm qvm-unpause complete -F _qvm qvm-backup complete -F _qvm qvm-copy-to-vm complete -F _qvm qvm-pause complete -F _qvm qvm-run complete -F _qvm qvm-usb complete -F _qvm qvm-backup-restore complete -F _qvm qvm-service complete -F _qvm qvm-kill complete -F _qvm qvm-shutdown complete -F _qvm qvm-tags complete -F _qvm qvm-check complete -F _qvm qvm-features complete -F _qvm qvm-prefs complete -F _qvm qvm-start complete -F _qvm qm signature.asc Description: PGP signature
Re: [qubes-users] How to install qubes-windows-tools under Qubes 4rc5
On 03/11/2018 01:50 PM, 799 wrote: > Hello, > > I'm trying to install windows on my new Qubes 4rc5 installation. > It seems that Qubes.Windows-Tools (QWT) are not available in the Qubes > 4-repositories. > > qubes-dom0-update --enablerepo=qubes-dom0-current-testing > qubes-windows-tools > [...] > Error: Unable to find a match > > After some trial and error I found a way, is there another way to > accomplish easier? > If not I would add this to the docs. It's already a work in progress ; check this issue: https://github.com/QubesOS/qubes-issues/issues/3585 BTW that's exactly the kind of main issue that ought to be listed in the qubes community project: not ready for official inclusion in qubes-doc, but helpful to probably many users. > > 1) Go to the rpm-repository from Qubes 3.2 > https://ftp.qubes-os.org/repo/yum/r3.2/current-testing/dom0/fc23/rpm/ > > 2) Download qubes-windows-tools-3.2.2-3.x86_64.rpm in an > > https://ftp.qubes-os.org/repo/yum/r3.2/current-testing/dom0/fc23/rpm/qubes-windows-tools-3.2.2-3.x86_64.rpm > > 3) move the rpm file to dom0, run in dom0 > qvm-run --pass-io 'cat > /home/user/Download/qubes-windows-tools-3.2.2-3.x86_64.rpm' > > qubes-windows-tools-3.2.2-3.x86_64.rpm > > 4) Verify rpm package > rpm -K qubes-windows-tools-3.2.2-3.x86_64.rpm > it would be better to verify the signature i the AppVM, but you need to > import the Qubes Signing Key to do so, I was lazy and was fine with moving > the rpm-file to dom0 and verify the signature there. > > 5) Install rpm-package > rpm -ivh qubes-windows-tools-3.2.2-3.x86_64.rpm > > 6) the Qubes Windows Tools ISO will be located at > /usr/lib/qubes/qubes-windows-tools.iso >this will be a link to the latest version installed, thereof to: >/usr/lib/qubes/ubes-windows-tools-3.2.2.3.iso in this case > > [799] > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/58b51772-e856-29c3-804e-0adf0836bc1c%40maa.bz. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Semi-crosspost to qubes-users. Windows HVM dual-headed use on Qubes R3.2 issues/experiences
On Thursday, March 8, 2018 at 1:35:22 PM UTC+3, awokd wrote: > There's a suggestion in here to use one large window covering both screens > along with "Winsplit Revolution" to make virtual monitors inside that: > https://www.mail-archive.com/qubes-users@googlegroups.com/msg08199.html > > Kind of a hack but I'm not aware of any other working approach. The previous post was intended in response to awokd, not myself :) Fat fingers, sorry. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c229d78a-3714-4da8-b706-1d15ab9654bb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Semi-crosspost to qubes-users. Windows HVM dual-headed use on Qubes R3.2 issues/experiences
On Thursday, March 8, 2018 at 1:08:50 AM UTC+3, caroline...@gmail.com wrote: > Hello! > Just posting into qubes-users to ask if anyone was able to get it to work > properly (as two separate windows emulating two separate monitors under > windows) > > I was able to do that ALMOST acceptably by doing the steps described here: > https://github.com/QubesOS/qubes-issues/issues/3480 > > But just as the person reporting there I am being thwarted by a nasty "ghost > mouse/click" bug. > > Has anyone ever found a workaround for this issue? Is there perhaps a better > way to do a dual-head (maybe we could get both "screen-windows" originate > from QGA.exe?) > > P.S.: I initially posted about this in qubes-devel in hopes that maybe > someone there would know a workaround for this. Posting here in hope that > maybe someone also tried to do a dual-head in windows under Qubes and figured > out workaround for issue currently plaguing me. Thanks for suggestion! That's what I am doing now, but the "stretch window across two screens" is working out bad for me, because resolutions differ between two my screens, and I end up wasting a chunk of space on main screen (and it looks ugly) The "honest two windows for honest two screens" approach is much more promising, if only someone could find a way to get rid of them ghost clicks. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fa1963c3-d30a-4302-83b1-90c0b454faa1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] How to install qubes-windows-tools under Qubes 4rc5
Hello, I'm trying to install windows on my new Qubes 4rc5 installation. It seems that Qubes.Windows-Tools (QWT) are not available in the Qubes 4-repositories. qubes-dom0-update --enablerepo=qubes-dom0-current-testing qubes-windows-tools [...] Error: Unable to find a match After some trial and error I found a way, is there another way to accomplish easier? If not I would add this to the docs. 1) Go to the rpm-repository from Qubes 3.2 https://ftp.qubes-os.org/repo/yum/r3.2/current-testing/dom0/fc23/rpm/ 2) Download qubes-windows-tools-3.2.2-3.x86_64.rpm in an https://ftp.qubes-os.org/repo/yum/r3.2/current-testing/dom0/fc23/rpm/qubes-windows-tools-3.2.2-3.x86_64.rpm 3) move the rpm file to dom0, run in dom0 qvm-run --pass-io 'cat /home/user/Download/qubes-windows-tools-3.2.2-3.x86_64.rpm' > qubes-windows-tools-3.2.2-3.x86_64.rpm 4) Verify rpm package rpm -K qubes-windows-tools-3.2.2-3.x86_64.rpm it would be better to verify the signature i the AppVM, but you need to import the Qubes Signing Key to do so, I was lazy and was fine with moving the rpm-file to dom0 and verify the signature there. 5) Install rpm-package rpm -ivh qubes-windows-tools-3.2.2-3.x86_64.rpm 6) the Qubes Windows Tools ISO will be located at /usr/lib/qubes/qubes-windows-tools.iso this will be a link to the latest version installed, thereof to: /usr/lib/qubes/ubes-windows-tools-3.2.2.3.iso in this case [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vu0KwjUTcRFeWiV_S%3DR8WRN2B8bL2J%3DxHOCGnu6m93-A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] DNS propagation in Qubes
On 03/10/2018 04:43 PM, Alex Dubois wrote: On Saturday, 10 March 2018 13:16:37 UTC, Micah Lee wrote: ‐‐‐ Original Message ‐‐‐ On March 8, 2018 11:26 AM, Chris Laprisewrote: \> \[1\] https://dnsprivacy.org/wiki/ \[2\] https://www.qubes-os.org/doc/networking/ Micah, If you have any specific instructions on how to setup the forwarder you're using, I'd be happy to try it myself and post a solution for use with qubes-firewall. I found the dnsprivacy wiki to be a bit scattered and not very specific. Their video "tutorial" is really a lecture on the concept. Thanks, yes I'd love to share instructions. I haven't gotten it working yet -- I'm traveling right now and haven't spent a lot of time on it, and might not for the next week or two. But once I figure it out I'd like to write a blog post or something with instructions. But maybe I should sent it to this list first for people to test and give feedback. For your info, I have a wiki on how to use dns-crypt here: https://github.com/adubois/adubois.github.io/blob/master/_posts/2013-11-19-setup-dnscrypt-unbound.md It is supposed to be exposed via blog.bowabos.com but github changed something and the static site does not get automatically generated at the moment... Nice. I gave this a try on debian-9, using apt to install dnscrypt-proxy and unbound. One problem is that the howto assumes particular Qubes 10.137.2.x and 10.138.2.x nets for unbound. Another problem is that on Qubes 4.0 the vif interfaces plus eth0 all share the same IP address. This isn't explained in the Qubes networking or firewall docs, so it may be a bug... To keep unbound.service from failing I changed unbound.conf to this: interface: access-control: 10.137.0.0/24 allow harden-large-queries: yes private-address: 10.0.0.0/8 private-address: 192.168.0.0/16 val-permissive-mode: yes do-not-query-localhost: no ...and for now omitted the '-d' destination part in iptables. Then if I issue: sudo iptables -t nat -F PR-QBS sudo iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $eth0_address sudo iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $eth0_address it appears to work from a downstream appVM. But I haven't checked yet to see if its really using the dnscrypt proxy; even if it is, the config may need to be adjusted for better security. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6be04a34-d79d-df7f-cd64-68d098613df6%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] FYI: Kernel Hardening; a discussion (2018)
For those of you who are fresh like myself, Im going to compile some information Ive found on Qubes Kernel hardening. And for the tech savvy Qubes junkies, also like myself, lets have another discussion! Of course anyones welcome to add their 2 cents or drop a dime. ~Things that I think are facts but might not be as of early 2018~ 1. Qubes does not incorporate kernel hardening. 2. GrSecurity is really great security? (Discussion/opinion below) 3. The Coldkernel Team is working on Qubes kernel hardening. 4. GrSecurity is working close with PaX. Q - Why should you care? A - Kernel Hardening protects against many forms of L337 H4X0R5 and monsters. ~More pseudo-phacts~ 5. "PaX is maintained by The PaX Team, whose principal coder is anonymous" -cite: https://en.wikipedia.org/wiki/PaX 6. GrSecurity is really great security but very few distros use it. -Why? An extrapolation on this below. 7. Q - Why is Qubes not integrated with GrSecurity/PaX? A - "Grsec is dead (at least as an open source project), so it doesn't apply anymore." -marmarek (dev) 8. Q - How can we easily incorporate kernel hardening into our Qubes? A - Directly into your qubes just like this: https://coldhak.ca/blog/2016/12/12/coldkernel-qubes-1.html ~On GrSecurity/PaX~ GrSecurity, allegedly, is a really great form of kernel hardening. A brief look at their wikibooks.org page tells you that they have done their homework. Notably, there are features that Qubes users would find very appealing. Upon further investigation, it seems as though this is not an open source project, meaning that only the inner core of developers works on maintaining and updating the code, but the source is still free to distribute so long as its not changed, from my understanding. (cont. below) cite: https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options GrSec doesnt keep their docs well maintained and the setup uses lots of jargon/acronyms that are not for modest users. -misquote, Qubes user, April 2017 -drawbacks to GrSec: -you have to pay for support to keep up-to-date with patches -the likely-hood of users scrutinizing the code is much smaller than open-source development GrSec, while it sounds good, is aimed at a different breed of user-base. I really like the idea of (excuse my lack of proper technical terms) a non-profit that still gets paid. I have no idea how it actually works, but I assume that people that believe in a presented idea donate and developers get paid to preform a civil service. That is a really sound business plan. Sure, lots of people do not donate. Alternately, lots of people DO donate. For instance, Kali Linux. They offer a free to the public open source service: the hacking distro, originally Backtrack Linux. They needed more money, so instead of living off of donations, they created the OffSec brand training and certifications. OffSec and Kali: two mostly different products that do not solely rely on each other. Or I should say, Kali does not rely on OffSec. The difference that Im hinting at is that GrSec does not support this freedom. Its subtly obvious that between not keeping the documentation up-to-date and the software itself being hard to understand, they have made the open source 'project' extremely difficult for the end user. It is only really feasible for enterprises. To reiterate in a somewhat prejudice, unprofessional manner: Theyre not open source because they believe in open source. Their heart isnt in it. Back to business. "In late June, noted open-source programmer Bruce Perens warned that using Grsecurity's Linux kernel security could invite legal trouble." -theregister.co.uk pseudo-facts: Bruce Perens posted a blog article in late June of 2017 that concluded that anyone who compiled their kernel using GrSec was subject to "contributory infringement and breach of contract" due to the GNU policy declining the modification of code. At first glance, it would seem that Perens did slander this company and some would argue that this accusation would be a far-fetched plausability for a company that is only insuring themselves. But as the security community well knows and lawsuits have well-documented, corporations often blur the lines between property dispute. The month after Perens posted his blog, the stated company lashed back as would a person deeply hurt by critique. I wouldnt think that slander would warrant a lawsuit, but a lawsuit it was accusing Bruce, his webhost and others of defamation and business interference. This does not make them stand out from other companies. After all, Cisco sued DefCon in 2005 for similar reasons of exposing vulnerabilities in their routers. But this is the nature of what makes security SECURE. Exposing loopholes and plugging them. And this company acted with a most unbecoming maturity. cite: