Re: [qubes-users] Re: I can't disable ipv6 on Debian Template
Le mardi 4 octobre 2016 01:37:16 UTC+2, raah...@gmail.com a écrit : > On Monday, October 3, 2016 at 1:14:13 PM UTC-4, nishi...@gmail.com wrote: > > It isn't a configuration problem but a driver related one. I made the > > mistake to set up this mouse with a minimum DPI value that is too high. > > Anyway it has by default a high DPI value that does not fit a browsing / > > workstation profile. I bought it for gaming purpose, but I stopped playing > > video games. > > > > Problem is driver from manufacturer to Linux users is really bad as ofc > > they don't sell it for that usage. So unless someone would know how to > > properly burn a udf USB iso, I guess I'll have to reinstall baremetal > > Debian and take an afternoon to compile sources and make it work, once > > again... > > if it works in a baremetal debian, it should work in a debian based sys-usb. Thank you for the tip, I forget indeed to try this. But I found an easier solution as those drivers for Debian were considered as "outdated" by the manufacturer (confirmed xd it took me a lot of time to make them work :S) : to go for a Linux distro on where they were still implemented by developpers : ) So I just installed Ubuntu and they worked fine, took me 5mn to install and lower down DPI :) Well so once again, really sorry having went on this full paranoid mode and talking shit about Qubes, thinking my HDD was hijacked or smth wtf.. So stupid and bad mannered from me... Unfortunately it comes from a previous rootkit experience on Windows so I suppose now when I see something kinda suspicious like an USB refusing to boot, I react like this, which isn't adapted at all. I hope it's cool and that I didn't hurt anyone. Even though this ipv6 port listening surprised me, I will keep using Qubes as it is a great OS and the work done here by developpers is just awesome. Documentation is also clear and well written. I also like the fact it comes with Debian + Xfce, which is imo the best destktop manager on Linux. Simple, elegant, and still greatly customizable : ) I find it better than the current Ubuntu default desktop manager I just discovered, but I guess everyone has its own preferences ^^ But yea first I really want to try out Unix BSD as when you are running Linux since few months you might want to discover where everything started : ) Bye and thank you again for your help on closing ipv6 on Debian, I hope it might help someone else not willing to have it enabled (for now... as we will all have to use it within time !) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d741cfcf-18cf-48c1-9842-09e8a0f2ff43%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: I can't disable ipv6 on Debian Template
It isn't a configuration problem but a driver related one. I made the mistake to set up this mouse with a minimum DPI value that is too high. Anyway it has by default a high DPI value that does not fit a browsing / workstation profile. I bought it for gaming purpose, but I stopped playing video games. Problem is driver from manufacturer to Linux users is really bad as ofc they don't sell it for that usage. So unless someone would know how to properly burn a udf USB iso, I guess I'll have to reinstall baremetal Debian and take an afternoon to compile sources and make it work, once again... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7b19fe03-4757-4f13-a05e-5ada915e1dc3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: I can't disable ipv6 on Debian Template
Uh ok, this ipv6 listening on my template set me in full paranoid mode. I have found disappointing to see ipv6 wasn't disabled on Debian template, but yea sorry, I went completely mad & full retard mode about Qubes on the rest. I thought I was betrayed. I have been betrayed a lot by relatives but that doesn't mean I'm supposed to react like a dumbass and think of conspiracy if I got one port listening... Sadly my imagination went crazy mode. I guess you can call it a defense mechanism, but nevertheless, I am sorry about that. My boot problem is in fact related to "sudo dd if=/file.iso of=/dev/sdX" ends up burning a UDF partition that refuses to boot. I tried your advices except the ArchLinux one, but I guess I just have to keep trying. Also I read somewhere I need to enter "bs=512" to burn more little fragments than the original size to avoid boot problem with UDF. This might fix my issue, I will try tomorrow. Fun part is that I want to go back to Windows only very briefly, to install my mouse drivers and fix its sensitivity being too fast, as Linux drivers are really painful to install for this model (I did it on Debian, it took me a lot of efforts to make it work). Then I think I will probably join back in the future Qubes, as indeed it is a very innovative OS. It's just I am interested on trying BSD systems. I found a great guide to learn Korn shell scripting, watched all videos https://m.youtube.com/playlist?list=PLCAFDE9B81B30388E It was very interesting and very well made, allows you to understand better how command line work and the logics behind programs ! In fact I just want to learn to use a different Unix-based system than Linux and try there what I have learnt on this great tutorial. It's easier when your mouse isn't on steroids ^^ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1045ea1b-c02f-41b5-b615-e2eb1fe9a0a5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: I can't disable ipv6 on Debian Template
Hello Andrew, How are you ? Thank you for your time, I appreciate your help. I don't know if I went full paranoid mode but I just wanted to apologize having been so aggressive. It's not the way I behave myself in real, I am really the opposite kind, being sensitive and trying to stay polite with people. I clearly failed there so I just wanted to let you know that I truly respect Qubes development team and that I am sorry having letting myself ending up being nasty... What bothers me is that I really love the American culture and I don't understand why on the political part NSA is making a war nowadays on the entire world on privacy rights. Well, as anyone I have been really shocked by 9/11 terrorist attacks. Even though I understand the US politics reacted because they have been hurt on a power symbol, I really want these paranoid policies by NSA against every privacy rights of citizen to end. Human dignity is based on privacy respect. I can tell you about it, I lost a huge part of my dignity in psychiatry, going there for wrong reasons (got fascists perverts in my family). And I mean, who doesn't love the US ? If I had to move to a desert island and only take 5 of my favorite movies ever, I would probably take 3 American one's : "Mulholland Drive", "Forrest Gump" and "Changeling". What's fascinating is that all those 3 outstanding movies express in a very different way the same universal feeling : love. I feel so grateful to the US when I watch them because actually my life sucks, got no friends, no family left. I feel like receiving a bit of love I missed. Well, all that being said, thank you for your support. I'll try your solutions when I'll wake up :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/79f64700-788b-4cba-9f97-53f3cc0505e3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: I can't disable ipv6 on Debian Template
I was indeed but I lost trust in Qubes. Officially ipv6 disabled by default but hf being secretly backdoored on ipv6... Nice privacy respect policies. I won't wait another week with my HDD disabled by this OS. Come on, please, why would someone doubt on something that is so obvious ? I used 3 different USB keys and different iso images. Every USB keys fails on booting while isos have been properly burnt to USBs on a fresh new install. Can't install any other OS, my hard drive is locked. This is so disgusting. Some explanations on how to completely erase Qubes OS and his disk USB protection out of your hard disk would be really helpful, as I can't use currently my computer.. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e53ec64e-91f0-4858-9db8-ecb58813f30f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: I can't disable ipv6 on Debian Template
Hi, Could a Qubes developer pay attention on this ticket, please ? I can't reinstall any other OS than Qubes on my HDD. When I put in a USB key, it doesn't boot on it, it switches directly to the GRUB menu. I am sure at 100% it comes from some sort of disk protection that Qubes put on my disk. I am also sure that those USB keys would work on any other HDDs, as they are properly burnt. I tried to reinstall Qubes without disk encryption. It didn't change the outcome. How do I remove this disk block so I can use USB keys to install another OS than Qubes ? If you wanna make hostages, then say it on your web page because right now my disk is unusable and it's Qubes responsibility at 100%. I'll wait here until someone tells me how to completely erase Qubes from my disk (USB PROTECTION INCLUDED) so that EVENTUALLY I could switch to another OS and FUCKING MOVE ON, FOR GOD'S SAKE. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/39f2410c-9370-4f25-94ae-b14242d1f48d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I can't disable ipv6 on Debian Template
"An agenda against Qubes goal". Lol, that would been really arrogant because I joined Linux only 3 months ago and I have everything to learn. But if you want to talk about what Qubes provides, I have my opinion on the subject : Qubes greatest innovation is kinda making business of privacy rights, you can either consider it as a very offensive hacking tool platform, a Kali Linux best ally, a weapon which imo can do more harm than good, either a noob trap. That's obviously not the way I want the Internet to evolve, if you don't mind. As if posting here with this very friendly PRISM data collection provided by Google would make Qubes community trustworthy. What a joke. If M. Snowden would have used Qubes instead of Tails to make his revelations to everyone about global surveillance, he would probably be in jail right now. I guess vast majority of folks shocked about what his revelations showed would be really unhappy about that. So for people really considering privacy rights in an opened and a good manner way, you have Tails, and when it's time to discuss about security by default on a fresh new system, you have OpenBSD. Rest is just business and making profits under a license you currently don't own. Richard Stallman would be proud. Also when you can read on the Whonix FAQ https://www.whonix.org/wiki/FAQ#Why_aren.27t_you_using_OpenBSD.2C_it.27s_the_most_secure_OS_ever.21.21.211.21 this very arrogant statement "There is now Qubes OS, OpenBSD lacks such innovative security improvements, which claims.", you got another big joke right there. What makes the Internet still a little bit secured right now is coming directly from MIT and Unixmen that developed OpenSSH. I guess showing more respect for an OS that has been compromised like 2 times in 20 years and which policies are what the Internet world needs might help. But yeah, you can think of the Internet as a battleground, I don't really mind, it's not the way I see it. You have people concerned about building inoffensive fortresses or shields, to make sure Internet stays what it was at the very beginning (a space to provide educational content, to share ideas in a peaceful way) and you have people that use it as if it was a weapon. What a shame. So long Qubes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f6121585-274a-462e-908c-a847c100561c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I can't disable ipv6 on Debian Template
Hey, Really ? No one to find also suspicious a wild init/1 tcp6 port listening on your templateVM, right out of the box ? This got to be real. I am still interested in your solutions to quit Qubes OS and have another OS being able to run on my USB key and be installed, if you don't mind. I am answering you on my phone just because it seems my old Qubes deleted partition doesn't like very much my USB key to runs over it, for some reason. And this is pissing me off. So let me rephrase : how do you completely remove Qubes OS from your hard drive so that eventually it might still accept another OS install ? Fuck this shit. Btw on any decent OS you can clear your own partitions on installation window and refresh your own disk without installing the OS. On Qubes you can't. You are supposed to run the install to do so. And it seems the install fucks your hardware next -.- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4187ae87-4afc-437f-b26f-cf793b7f7f60%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I can't disable ipv6 on Debian Template
Hey, Thank you guys for your help, but unfortunately I don't think there is a way to get rid of this process listening on tcp6 on init (systemd... d standing here for distant...). It is listed as 1 on PID, I don't think you can't remove it, it is a main process. So I am not interested in using Qubes anymore because I disapprove those bad policies on respect of privacy. I don't want data to travel from my main template to Qubes servers without my consent and I don't like the fact someone might monitor what I am doing with my Debian template through ipv6. Really disappointing. Tbh at first I liked the fact that Qubes doesn't allow to be installed inside another OS, it looked like a nice security feature, but now that I can't clear completely my hard disk from Qubes hard drive protection, this is really annoying as I can't reinstall another OS on my hard drive. Any help on how to uninstall completely Qubes by removing the hard drive protection would be appreciated. I didn't find a way to do it in documentation. Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a1ca58ae-1237-4663-8e81-f9c3098e4d74%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] I can't disable ipv6 on Debian Template
Hello, I am surprised that there is no way to disable ipv6 on Debian template. I reinstalled first the template using documentation https://www.qubes-os.org/doc/reinstall-template/ Then I added "net.ipv6.conf.all.disable_ipv6 = 1" in /etc/sysctl.conf, I did reboot the Template but it didn't change the outcome, I still had ipv6 ports opened using "netstat -antp" I even added "sudo ip6tables -P INPUT DROP" in "/rw/config/rc.local", but I still got those distant servers listening when I check using commands like "sudo lsof -i6" or "netstat -antp" on my Debian Template. What is rpcbind, avahi-dae and why you got this ipv6 bound to systemd on PID 1 ? Looks suspicious, I thought Ipv6 was disabled by default on Qubes. Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/984fa298-6ada-4bdd-b97d-8ba4de1e80e7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: rc.local iptables persistence on reboot
Yes, my script is already posted here. I was implying sh shebang, as we're talking about a file that contains it before any changes done. But thanks for checking. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7709cf18-de85-49bb-99f3-0bbb6d4cf1b6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: rc.local iptables persistence on reboot
Le dimanche 18 septembre 2016 20:36:53 UTC+2, Connor Page a écrit : > does it start with this? > #!/bin/sh Yes -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e8586a2a-1570-44f2-807b-4bb32f2fb707%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Can't connect a VPN before Tor
Le mercredi 14 septembre 2016 05:30:30 UTC+2, 3n7r...@gmail.com a écrit : > On Tuesday, September 13, 2016 at 11:56:53 PM UTC, nishi...@gmail.com wrote: > > Le samedi 10 septembre 2016 20:36:38 UTC+2, 3n7r...@gmail.com a écrit : > > > [First, a rant. I hate mailing lists. How am I supposed to attribute > > > quotes from earlier posts in the thread not contained in the previous > > > post?] > > > > > > nishi: > > > >Any advices on how to set up Qubes to have a VPN + sys-whonix working > > > >together (or VPN + a TorVM proxy) in a good anonymous way would be > > > >really appreciated :) > > > > > > As you know, you can either connect to a VPN from a non-Whonix proxyVM or > > > set up the VPN directly in the Whonix-Gateway. Both methods have the goal > > > of preventing "unintentional" leaks and have the property of > > > failing-closed. IMO, since you are using Qubes already, the proxyVM > > > method is easier to configure and provides more flexibility. If you're > > > short on RAM and/or need to operate multiple Whonix-Gateways with each > > > having a separate VPN, you may be better off connecting to the VPN from > > > within the Gateway. From a security/anonymity perspective, neither is > > > obviously better than the other. A Gateway compromise would most likely > > > be game-over in either scenario. > > > > > > Speaking generally, you've got a whole bunch of moving parts. You need to > > > troubleshoot by isolating each piece. > > > > > > **This step reveals that you use Tor. Only proceed if safe to do so. > > > > > > 1. sys-net <- appVM: Do I have general connectivity? > > > 2. sys-net <- vpn-VM <- appVM: Does my VPN work? > > > 3.** sys-net <- appVM w/ Tor Browser Bundle: Does Tor work? > > > 4.** sys-net <- whonix-gateway: Run whonixcheck. Does Whonix-Gateway work? > > > 5. sys-net <- vpn-vm <- whonix-gateway > > > > > > My suggestion is to start with a fresh proxyVM and follow Chris' Qubes > > > VPN documentation step by step. (Or take a look at his [git > > > repo](https://github.com/ttasket/Qubes-vpn-support) ). If the vpn-VM > > > allows successful connections from the appVM, then it's simply a matter > > > of assigning it to the Whonix-Gateway as its netVM. No Whonix-specific > > > configuration is necessary since it's all transparent to Whonix. > > > > > > * Make sure that the Qubes firewall (Qubes VM Manager) is open on the > > > Whonix-Gateway. I don't remember what the default setting is. > > > > > > * Both TCP and UDP are fine for upstream VPNs. Tor can not carry UDP but > > > it can be carried on UDP, if that makes sense. > > > > > > * Don't add any additional firewalls until you can get this working. > > > > > > > > > nishi: > > > >Which gives in Qubes something a pattern like this one below (I don't > > > >know if all firewall VMs are really needed though) : > > > > > > > >AppVM => sys-vpn-firewall => sys-vpn => sys-whonix-firewall (or > > > >TorVM-firewall) => sys-whonix (or TorVM) => sys-firewall => sys-net > > > > > > Firewalls have limited usefulness as described here: > > > https://www.qubes-os.org/doc/data-leaks/ > > > > > > rustybird's Corridor can ensure that all traffic goes to a Tor Entry > > > Guard (but obviously, can't guarantee that the Entry Guard is > > > trustworthy). > > > > > > > > > nishi: > > > >When I purchased a VPN subscription, I saw it as a way to improve > > > >anonymity, now I feel it is more a tool to provide security. > > > > > > VPNs don't necessarily improve anonymity OR security. They simply shift > > > the trust that you place in your ISP to someone else. That may be good or > > > bad. > > > > > > > > > Chris: > > > >Although its straightforward to get the opposite working (Tor -> VPN -> > > > Internet -- just follow the Qubes vpn doc and connect sys-whonix to the > > > vpn vm) > > > > > > Just to clarify, to achieve user -> Tor -> VPN -> Internet, sys-whonix > > > needs to be connected as the *netVM* for the vpn-vm. If vpn-vm is the > > > netVM for sys-whonix, the resulting traffic is user -> VPN -> Tor -> > > > Internet. I may be forgetting something, but I believe both > > > configurations work out of the box. > > > > Hello, > > > > Thank you for your answer. Yes I agree with you, the proxyVM is easier to > > configure and provide more flexibility. I don't know if you can make your > > VPN autostart if you install it inside the whonix gateway, so I rather > > prefer to have it directly installed in an AppVM, because I find it is a > > great Qubes feature : ) > > > > Also as I said directly in the Whonix-forum site, I don't believe building > > a fortress in a gateway that will become the main target for hackers is > > what will necessarily will make us all more secure out there. Whonix or > > Qubes are targets right now... You have too many hacking intrusion exploits > > nowadays to build a fail-safe system for everyone. If you just type list in > > metasploit on kali Linux you know
Re: [qubes-users] Can't connect a VPN before Tor
Le samedi 10 septembre 2016 04:57:17 UTC+2, Chris Laprise a écrit : > On 09/08/2016 04:41 AM, nishiwak...@gmail.com wrote: > > Hello, > > > > I am struggling to have VPN work while using it with Tor, I can't have both > > work. > > > > I tried first to follow Mrs. Rutkowska's tutorial on setting up a clear Tor > > proxyVM > > https://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html > > but unfortunately I can't make it work. > > > > "QUBES_IP=$(xenstore-read qubes_ip)" line doesn't seem to work. If I > > replace "(xenstore-read qubes_ip)" with proxyVM's IP then script works but > > then I have to set up /etc/tor/torrc to achieve to connect Tor Browser in > > another AppVM. I guess this setup is too complicated for me. > > > > Then I read whonix documentation > > https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor, to > > check what I need to do to avoid reinstalling my VPN into a whonix gateway > > and just use it as a proxy VM before Tor. > > Although its straightforward to get the opposite working (Tor -> VPN -> > Internet -- just follow the Qubes vpn doc and connect sys-whonix to the > vpn vm) there are wrinkles to iron out when getting it to work as you > describe. Indeed it is easier to make it work the other way, but problem is that even if I kinda trust my VPN provider, who claims not to keep connection logs, I don't like to have my connection go through 1 spot in 1 country (you can create multiple openvpn.conf file, but this is not very convenient to use). I guess this is irrelevant to look for anonymity with this bottle neck effect. When I purchased a VPN subscription, I saw it as a way to improve anonymity, now I feel it is more a tool to provide security. This is also why I put Tor browser as the #1 service to provide anonymity, because even if nodes exit might be observed, you still have possibilities to improve this aspect setting up bridges, besides Tor was created by the US Navy Research Laboratory, it is not a big surprise to me that the US were involved in this project. When you're talking about defense of freedom, how could one not show great admiration and love for the US. I know you have people to talk shit about US policies, that the US fucked up in Vietnam or Irak, but where would be Europe at right now if no young heroic US soldiers to sacrifice their lives to defend freedom and help beating nazi rats ? When I see rise of nationalism once again in Europe, I am just so ashamed. They don't know what's memory, what's bravery. They want another bloody tyrant on one continent in the future, they want the end of time ? Fuck this. Welcome the refugees, stop hating. > Since the solution is Tor-specific, probably the best place to start is > trying create the whole setup in Whonix-Qubes using the Whonix doc you > referenced. The Whonix forum should be able to help you with any > specific issues when following their directions. > > Chris Ok thank you, I'll find out what I can do setting up Whonix. Maybe this will fix my issue https://www.whonix.org/wiki/Bridges#How_to_use_bridges_in_Whonix -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a223e934-58d5-4cd8-ba29-35cc330b4858%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Can't connect a VPN before Tor
Hello, I am struggling to have VPN work while using it with Tor, I can't have both work. I tried first to follow Mrs. Rutkowska's tutorial on setting up a clear Tor proxyVM https://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html but unfortunately I can't make it work. "QUBES_IP=$(xenstore-read qubes_ip)" line doesn't seem to work. If I replace "(xenstore-read qubes_ip)" with proxyVM's IP then script works but then I have to set up /etc/tor/torrc to achieve to connect Tor Browser in another AppVM. I guess this setup is too complicated for me. Then I read whonix documentation https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor, to check what I need to do to avoid reinstalling my VPN into a whonix gateway and just use it as a proxy VM before Tor. It says you need to install a VPN firewall into the ProxyVM to avoid leaks in case your VPN connection drops but as I have already those 2 lines in "/rw/config/qubes-firewall-user-script", I don't feel I have to. sudo iptables -t mangle -I FORWARD 1 -o eth0 -j DROP sudo iptables -t mangle -I FORWARD 2 -i eth0 -j DROP Overall I find quite frustrating not being able to find a clear and simple documentation on how to set up on Qubes this configuration, for those concerned about anonymity, especially when you can read on whonix document that in ~10-15 years, all those efforts to maintain your anonymity are going to be quite useless with quantum computers haha https://www.whonix.org/wiki/PQCrypto - unless you apply recommended procedures and hope Big Brothers will not unify further... : user => VPN => Tor => internet Which gives in Qubes something a pattern like this one below (I don't know if all firewall VMs are really needed though) : AppVM => sys-vpn-firewall => sys-vpn => sys-whonix-firewall (or TorVM-firewall) => sys-whonix (or TorVM) => sys-firewall => sys-net Any advices on how to set up Qubes to have a VPN + sys-whonix working together (or VPN + a TorVM proxy) in a good anonymous way would be really appreciated :) Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/201c7f33-c569-47ad-9c05-61e3859c4fdb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Anonymizing MAC adress through dvm ?
Thank you very much for your support :) I understand better how Qubes handles MAC addresses now thanks to you, I was curious about that ^^ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ee8bda36-0533-4e7f-b6f9-8c33c35e03b2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Anonymizing MAC adress through dvm ?
Hello everyone, I was just wondering if you can apply this documentation https://www.qubes-os.org/doc/anonymizing-your-mac-address/ to your disposable VM (like if you like to browse the internet being safe, not saving any data but also preserving your anonymity, in a way like Tails do). I tried to apply this on the AppVM-dvm, stopped it, then entered "qvm-create-default-dvm nameoftheTemplateVM-on-which-is-based-the-AppVM" in dom0, so eventually it would save the configuration on the img on which is based the new Disposable VM, but it don't seem to work, my interface ID don't change when I type "/sbin/ifconfig" into the new DispVM. I guess the problem comes from the fact the TemplateVM creates a symlink to /etc/systemd/ to load the service, but as you don't have persistence in dispVM, the process fails, but I'm not sure. If you have an idea on one could eventually do this, I think it would be a great feature (even if it is already really nice to be able to do so on standard VMs, problem is when you're paranoid you have to trade off in a way between a non anonymous but full secured non persistent model for a more anonymous but less secured one, lol) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/082febb6-e326-4837-bc6a-ead69cfb3254%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 17:43:35 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On the contrary, we care greatly about translating the documentation into > other languages. We're working with Transifex right now to have the > documentation translated: > > https://github.com/QubesOS/qubes-issues/issues/1452 > Ok my bad, I didn't knew about this projet. Then it is fine, it would help a lot people not used to read english. > > We welcome your participation! Michael (CCed) is the main contact with > Transifex. He may have a better idea about how members of the Qubes community > like yourself can get involved. > Ok thank you, he can contact me on this email if you want me to help to traduce some pages, no problem. I don't type very fast and I'm not that young, but if you lack people to help traduce in their native langage, I can help. > > I didn't mean to suggest that it's immune to criticism. On the contrary, > constructive criticism is always welcome. > Sure, I was just a bit on nerves yesterday, sorry about that. > > However, you said, "I don't get why documentation don't address..." I was > simply explaining why. The documentation is lacking such things because no one > has contributed them. > > I think it's fair to beseech documentation contributors to consider these > things. But, in the end, it's up to them what knowledge (if any) they will > contribute. > Good point, I have thought about your answer yesterday more rested and just begun a course today about TCP/IP networks, OSI model in 7 layers to understand better how routing works, how packets travel from layer 7 to your own switch / bridge ! This is quite interesting, but my attention scattered to another one on how to convert decimals numbers into hexadecimals or binary numbers ^^ > I don't know if it's going to be useful, but yes, it was interesting to realize an IPv4 adress is coded on 32 bits, which is 4 octets, and that 1 octet reach 255 maximum in decimal form because it is coded on 8 bits, which is 2^8=256, and as you start from 0, you get this number. And that we're going to switch to IPv6 because you have only 2^32 numbers available (4,2 billions) and we are already 7,3 billions here on Earth ! That's also why I want to host my website on my own cpu bc you need energy to make a server work, Earth is dying, who cares my beginner site being unavailable 8-12 hours a day, as long as I warn folk when it opens lol. You can also think about Qubes in an ecological point of view as it centralizes different OS and allows you to avoid having more computers to preserve data : you save energy. > Those numbers make you wonder how unreal in less than 50 years we went from 1 bit (0-1), to this very simple potential electric difference coding 2 values, to a world wide web page full of data ^^ I guess we invented aliens to communicate with we didn't found (yet) so far :D Because if you think about one typo here, like my little D surrounded by 2 symbols (lol), if you think about all characters options available in all languages over the whole world for those 2 symbols, I wouldn't be surprise this beast gets so huge that it can't hold in 1 octet/1byte/256 options haha (btw in french you add e to "bit", you get a D :D). I hope you enjoy my delicate poetry on digits man lol ~ > P.S. : If quoting you fails again, please excuse me, I don't get how to do it properly inside your message :( > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJXux2fAAoJENtN07w5UDAw4wUP/j0uDCgbx80Cm714mi6vDB/Z > 8NBXlMLV6hzA8HtVW3Z2Rfo7pY/Fe8uQLskJ+h8SluWDw2srUHXSsv2ETIBsUzC9 > 0m9HaSLJU+UxO7Vc8VFi2FTiUlFKxhBnhFYWGwSqir0QI+OZP6Mx1id/MgtvGkYk > TDWtljt7hvgjR6hnX1GqU6u0Bg3O1KZHSNhcC98RQZjy9LWOgIkAPKWpK98FheYi > N5QMRTJwfrUEFIEumCf6xzG3jiolJlmGEPkKDfk9+GaKxd0koHbENMWqfvlz2Zbo > pq9gBzkW44K88pcWpS4CLkvonMDdXienRWzy7ut5kQsEfNuw4MVGMkqy9YUGkhlJ > 9mbZx8AB1yPs0LRdQpCk9noh4g4QWr9XREHQC2+FgazYQD1P4rcZDXt8r0JJdH2W > E5GJbqWWwQj+Rn0VbI4TbuXZJlw8gOeiUXRSKu821EhXu37dtiNI+XKszx8iPfXA > 9EbAd9O4hulVq3866eWX86Sc/MKnNE/Frw0M8ObHvvXnweI2VwUNMeZCJ2VKO5KG > vWQkTi83YAkHqvk8YOFCV7+oOQAyGymHZzjCUWvOWvDjBX/wtSgcmEt3rMq8MklX > G3ZFzGdkC2h2VeEqwojhMNZ1UWHNvwv+KV6ySJf5p3ZrGqZKO6olIlbZZNnT2HDe > OW2eq0Sr3P3Qtdn9iXao > =6qZC > -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0b4dfff0-4c9a-42ac-9356-8fedd7bd4306%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-08-21 16:43, nishiwak...@gmail.com wrote: > > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On > > 2016-08-21 04:02, nishiwak...@gmail.com wrote: > Any help to configure sys-firewall would be also really appreciated. > I got this annoying pop-up when I click on "Firewall rules" tab under > the sys-firewall proxyVM settings : > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > You may edit the 'sys-firewall' VM firewall rules, but these will > not take any effect until you connect it to a working Firewall VM." > > Only subject related to this problem I found is this message from > Unman on Qubes-users group : > > "When you configure the firewall rules for a vm those rules are > applied ON THE FIREWALL to which the vm is attached. So the error > message you get is entirely accurate - your firewall is not attached > to a firewall and so the rules cannot be applied. Of course you COULD > configure a firewall between the fw and the netvm but the same > consideration would apply to THAT fw. There's no reason why you cant > configure the fw iptables by hand if you want to: you can use > /rw/config/qubes-firewall-user-script to have these rules applied > automatically." > > Ok so here's what I understand from this message : this proxyVM > Firewall is probably working but rules don't apply because it is > attached to a NetVM, which don't have any firewall policies by > default. > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation > says : "Every VM in Qubes is connected to the network via a > FirewallVM, which is used to enforce network-level policies. By > default there is one default Firewall VM, but the user is free to > create more, if needed." > > And then you got explanations on how to edit rules in a specific VM > for a given domain. > > So I understand you have to edit rules on a AppVM to open up ports > there, but I mean not everyone running Qubes OS is highly graduated > in IT and network routing. > > I find quite disappointing that the official documentation don't > mention more clearly how to set up the default sys-firewall proxyVM, > like if you are supposed to check either "Deny network access > except" or "Allow network access except" button or if that doesn't > matter, if those policies won't apply anyway because of this > pop-up... > > > > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > > there. > > > > Suppose you have an AppVM in which you want to enforce specific firewall > > rules. You should go into the VM settings for *that VM*, then the "Firewall > > rules" tab, then configure your firewall rules there. These firewall > > rules are then *enforced by* sys-firewall under the hood. Enforcing these > > rules for other VMs is sys-firewall's raison d'être. > > > > By default, there is only one VM with this job: sys-firewall. Therefore, > > there is no other VM that can perform this job *for* sys-firewall. But > > that's not a problem, because there's usually no reason to specify firewall > > rules for sys-firewall itself anyway. (Besides, you're free to create as > > many ProxyVMs as you like an chain them together.) > > > > > > Ok, thank you very much for your help. Unfortunately I still have great > > difficulties to open up port 443 or 80 on an AppVM. > > > > I have read this comment on another thread from Alex Dubois saying : > > > > "A diagram in the wiki would help people understand. > > > > For now: A packet comming from the outside has a sourceIP of the > > workstation on the LAN that issued it or the router that routed the packet > > into your LAN and a destinationIP of your netVM externalIP (probably > > 192.168.0.x). The NetVM iptables rules are going to transform it to a > > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM > > iptables rule are going to transform it to a packet with a desktinationIP > > of your AppVM (10.137.2.16)." > > > > I completely agree with him, a diagram would really help. I don't get why > > documentation don't address the routing basics stuff that isn't really > > basic for newbies, for random people. > > The documentation is largely a volunteer effort. I'm afraid we simply don't > have the workforce to make all necessary and desirable improvements to the > documentation. We would love it if someone would submit a pull request adding > such a diagram or, in general, improving that page. > > > I like a lot Qubes, this is an awesome OS, but far too complicated for > > mister everyone. I am at the point right now where frustration becomes > >
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > The documentation is largely a volunteer effort. I'm afraid we simply don't > have the workforce to make all necessary and desirable improvements to the > documentation. We would love it if someone would submit a pull request adding > such a diagram or, in general, improving that page. I would love as well to be able to host a website to share my interest for Qubes OS with the world, or at least, with people of my country sharing my own language, if you don't mind, because Qubes documentation looks like imo being written mostly by native english users that don't seem to care much for non-native english users being lost. I would this way really like to participate to some translation effort, as I don't necessarily think you can enter easily those quite complicated notions with your non-native language. Qubes documentation being largely a volonteer effort doesn't make it immune to the critics, and mine is that people spending this valuable time to share their knowledge to make people enter quite long and complicated procedures should consider that : 1) Explaining how to do port forwarding without adressing or refering to basic knowledge upon this concept leads to frustration, as you necessarily need to understand a bit what's going on in order to adapt the procedures. 2) Even if I think people mostly appreciate and are thankful to the Qubes community developpment for the incredible security improvement Qubes OS brings to everyone and that makes Qubes OS probably the best OS I know so far, when security isolation somehow puts you in cage where you encounter difficulties to communicate with rest of the world, well that's not the goal per se :p > Sorry, this is beyond my knowledge. My own use of Qubes (as a regular user) > has never occasioned the need to port forward to a VM from the outside world. > Perhaps it's worth appreciating that what you're attempting to do is somewhat > advanced, and therefore you should not expect it to be extremely simple. In > any case, I hope someone knowledgeable about networking will chime in to help > you with this. No problem, thank you for your help. I hope someone might give me some advices on this problem, but I am already trying to learn on iptables, as it looks like you can't unblock ports using only Qubes firewall, you have to understand these iptables scripts ^^ > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJXulK8AAoJENtN07w5UDAwKRgP/3qtwhSLXRCI03DqA76JMo2o > 2d24pqwjw9f/rX3ep36qHN1Y4iSSP/la/ze9dgoWPnyXakrB8R7olqasV2o4Z9+v > ZyLqSOKF6R2KPUSyl1vE6Tc4F6l068wOcQnNphq+tmZEHX8VFprYgkzchXCMj9fp > sVsU7Xk0prNXs/FWqxzPTJzbC7lPRuJ0OBTHdj8uvatJ6eeb6QxRI3hKWu2nXpCM > 7ugxLc8Lvy5Ntjp40DoQOMidSDU2WmNyUBAfrlUGjIXVxu7mzk45P67cPG5Zuvo9 > KchQgu44N4bgm2tdkHg248iyB/GzolsObs3BQCzadMz7E2jv8YVU8u0rAD41OGON > rDTqnDp5VEdo72iNijyZkXh+in/cmtAG9FY1JisTgeZhxTXJmMlzduDIaB2+QjBH > UBeU9DxeeXtthmYIlmoq40gbLUnEW4KkMfyky99vWZcUHnCzdVd9l12+PDJkIAF5 > N2la7fqnAh5ElsdT3nBzECb7C5CYtW3zFB/oEDrmsObinIF5E0ohPdwWnXn++jCF > kwurhgtReWPCxfd+JeIJTi3bQxE24pnPkTT4KYPcOloE9RHwGd5EsAIxkvbPb/po > aUn1edDzVtnoyrXa/FVODd0IxW9TjFq1RGk8d9mXPSb01fKrKIOUQXnhyfwiY5gK > sW6MaE08rTguFWY2Ng9q > =E9Mf > -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b4d805e9-e81a-422b-a8a2-67a5b2578091%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-08-21 16:43, nishiwak...@gmail.com wrote: > > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On > > 2016-08-21 04:02, nishiwak...@gmail.com wrote: > Any help to configure sys-firewall would be also really appreciated. > I got this annoying pop-up when I click on "Firewall rules" tab under > the sys-firewall proxyVM settings : > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > You may edit the 'sys-firewall' VM firewall rules, but these will > not take any effect until you connect it to a working Firewall VM." > > Only subject related to this problem I found is this message from > Unman on Qubes-users group : > > "When you configure the firewall rules for a vm those rules are > applied ON THE FIREWALL to which the vm is attached. So the error > message you get is entirely accurate - your firewall is not attached > to a firewall and so the rules cannot be applied. Of course you COULD > configure a firewall between the fw and the netvm but the same > consideration would apply to THAT fw. There's no reason why you cant > configure the fw iptables by hand if you want to: you can use > /rw/config/qubes-firewall-user-script to have these rules applied > automatically." > > Ok so here's what I understand from this message : this proxyVM > Firewall is probably working but rules don't apply because it is > attached to a NetVM, which don't have any firewall policies by > default. > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation > says : "Every VM in Qubes is connected to the network via a > FirewallVM, which is used to enforce network-level policies. By > default there is one default Firewall VM, but the user is free to > create more, if needed." > > And then you got explanations on how to edit rules in a specific VM > for a given domain. > > So I understand you have to edit rules on a AppVM to open up ports > there, but I mean not everyone running Qubes OS is highly graduated > in IT and network routing. > > I find quite disappointing that the official documentation don't > mention more clearly how to set up the default sys-firewall proxyVM, > like if you are supposed to check either "Deny network access > except" or "Allow network access except" button or if that doesn't > matter, if those policies won't apply anyway because of this > pop-up... > > > > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > > there. > > > > Suppose you have an AppVM in which you want to enforce specific firewall > > rules. You should go into the VM settings for *that VM*, then the "Firewall > > rules" tab, then configure your firewall rules there. These firewall > > rules are then *enforced by* sys-firewall under the hood. Enforcing these > > rules for other VMs is sys-firewall's raison d'être. > > > > By default, there is only one VM with this job: sys-firewall. Therefore, > > there is no other VM that can perform this job *for* sys-firewall. But > > that's not a problem, because there's usually no reason to specify firewall > > rules for sys-firewall itself anyway. (Besides, you're free to create as > > many ProxyVMs as you like an chain them together.) > > > > > > Ok, thank you very much for your help. Unfortunately I still have great > > difficulties to open up port 443 or 80 on an AppVM. > > > > I have read this comment on another thread from Alex Dubois saying : > > > > "A diagram in the wiki would help people understand. > > > > For now: A packet comming from the outside has a sourceIP of the > > workstation on the LAN that issued it or the router that routed the packet > > into your LAN and a destinationIP of your netVM externalIP (probably > > 192.168.0.x). The NetVM iptables rules are going to transform it to a > > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM > > iptables rule are going to transform it to a packet with a desktinationIP > > of your AppVM (10.137.2.16)." > > > > I completely agree with him, a diagram would really help. I don't get why > > documentation don't address the routing basics stuff that isn't really > > basic for newbies, for random people. > > The documentation is largely a volunteer effort. I'm afraid we simply don't > have the workforce to make all necessary and desirable improvements to the > documentation. We would love it if someone would submit a pull request adding > such a diagram or, in general, improving that page. > > > I like a lot Qubes, this is an awesome OS, but far too complicated for > > mister everyone. I am at the point right now where frustration becomes > >
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le lundi 22 août 2016 03:18:07 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-08-21 16:43, nishiwak...@gmail.com wrote: > > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On > > 2016-08-21 04:02, nishiwak...@gmail.com wrote: > Any help to configure sys-firewall would be also really appreciated. > I got this annoying pop-up when I click on "Firewall rules" tab under > the sys-firewall proxyVM settings : > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > You may edit the 'sys-firewall' VM firewall rules, but these will > not take any effect until you connect it to a working Firewall VM." > > Only subject related to this problem I found is this message from > Unman on Qubes-users group : > > "When you configure the firewall rules for a vm those rules are > applied ON THE FIREWALL to which the vm is attached. So the error > message you get is entirely accurate - your firewall is not attached > to a firewall and so the rules cannot be applied. Of course you COULD > configure a firewall between the fw and the netvm but the same > consideration would apply to THAT fw. There's no reason why you cant > configure the fw iptables by hand if you want to: you can use > /rw/config/qubes-firewall-user-script to have these rules applied > automatically." > > Ok so here's what I understand from this message : this proxyVM > Firewall is probably working but rules don't apply because it is > attached to a NetVM, which don't have any firewall policies by > default. > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation > says : "Every VM in Qubes is connected to the network via a > FirewallVM, which is used to enforce network-level policies. By > default there is one default Firewall VM, but the user is free to > create more, if needed." > > And then you got explanations on how to edit rules in a specific VM > for a given domain. > > So I understand you have to edit rules on a AppVM to open up ports > there, but I mean not everyone running Qubes OS is highly graduated > in IT and network routing. > > I find quite disappointing that the official documentation don't > mention more clearly how to set up the default sys-firewall proxyVM, > like if you are supposed to check either "Deny network access > except" or "Allow network access except" button or if that doesn't > matter, if those policies won't apply anyway because of this > pop-up... > > > > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > > there. > > > > Suppose you have an AppVM in which you want to enforce specific firewall > > rules. You should go into the VM settings for *that VM*, then the "Firewall > > rules" tab, then configure your firewall rules there. These firewall > > rules are then *enforced by* sys-firewall under the hood. Enforcing these > > rules for other VMs is sys-firewall's raison d'être. > > > > By default, there is only one VM with this job: sys-firewall. Therefore, > > there is no other VM that can perform this job *for* sys-firewall. But > > that's not a problem, because there's usually no reason to specify firewall > > rules for sys-firewall itself anyway. (Besides, you're free to create as > > many ProxyVMs as you like an chain them together.) > > > > > > Ok, thank you very much for your help. Unfortunately I still have great > > difficulties to open up port 443 or 80 on an AppVM. > > > > I have read this comment on another thread from Alex Dubois saying : > > > > "A diagram in the wiki would help people understand. > > > > For now: A packet comming from the outside has a sourceIP of the > > workstation on the LAN that issued it or the router that routed the packet > > into your LAN and a destinationIP of your netVM externalIP (probably > > 192.168.0.x). The NetVM iptables rules are going to transform it to a > > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM > > iptables rule are going to transform it to a packet with a desktinationIP > > of your AppVM (10.137.2.16)." > > > > I completely agree with him, a diagram would really help. I don't get why > > documentation don't address the routing basics stuff that isn't really > > basic for newbies, for random people. > > The documentation is largely a volunteer effort. I'm afraid we simply don't > have the workforce to make all necessary and desirable improvements to the > documentation. We would love it if someone would submit a pull request adding > such a diagram or, in general, improving that page. > I would love as well to be able to host a website to share my interest for Qubes OS with the world, or at least, with people of my country sharing my own
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-08-21 04:02, nishiwak...@gmail.com wrote: > > Any help to configure sys-firewall would be also really appreciated. I got > > this annoying pop-up when I click on "Firewall rules" tab under the > > sys-firewall proxyVM settings : > > > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > > > You may edit the 'sys-firewall' VM firewall rules, but these will not take > > any effect until you connect it to a working Firewall VM." > > > > Only subject related to this problem I found is this message from Unman on > > Qubes-users group : > > > > "When you configure the firewall rules for a vm those rules are applied ON > > THE FIREWALL to which the vm is attached. So the error message you get is > > entirely accurate - your firewall is not attached to a firewall and so the > > rules cannot be applied. Of course you COULD configure a firewall between > > the fw and the netvm but the same consideration would apply to THAT fw. > > There's no reason why you cant configure the fw iptables by hand if you > > want to: you can use /rw/config/qubes-firewall-user-script to have these > > rules applied automatically." > > > > Ok so here's what I understand from this message : this proxyVM Firewall is > > probably working but rules don't apply because it is attached to a NetVM, > > which don't have any firewall policies by default. > > > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says : > > "Every VM in Qubes is connected to the network via a FirewallVM, which is > > used to enforce network-level policies. By default there is one default > > Firewall VM, but the user is free to create more, if needed." > > > > And then you got explanations on how to edit rules in a specific VM for a > > given domain. > > > > So I understand you have to edit rules on a AppVM to open up ports there, > > but I mean not everyone running Qubes OS is highly graduated in IT and > > network routing. > > > > I find quite disappointing that the official documentation don't mention > > more clearly how to set up the default sys-firewall proxyVM, like if you > > are supposed to check either "Deny network access except" or "Allow network > > access except" button or if that doesn't matter, if those policies won't > > apply anyway because of this pop-up... > > > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > there. > > Suppose you have an AppVM in which you want to enforce specific firewall > rules. You should go into the VM settings for *that VM*, then the "Firewall > rules" tab, then configure your firewall rules there. These firewall rules are > then *enforced by* sys-firewall under the hood. Enforcing these rules for > other VMs is sys-firewall's raison d'être. > > By default, there is only one VM with this job: sys-firewall. Therefore, there > is no other VM that can perform this job *for* sys-firewall. But that's not a > problem, because there's usually no reason to specify firewall rules for > sys-firewall itself anyway. (Besides, you're free to create as many ProxyVMs > as you like an chain them together.) > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJXugDBAAoJENtN07w5UDAwLuQQAIlyBs1aeKEiQH2+W0WrNH5l > VTCgtYo+rY3doNjScY95iCZB1e/s2v/RtbDKyXwot6lGFjUoRJTRdK2O78/j/6GS > 1ggqrrtoX2KHB77RN3tJm65d2PqgpQM3G9opU8mUp89Ek0MHhjLl3vLMOUeekIXG > RGhRwOruLZ3D4WkZDpRpqH3qnnrARDmAM32KOeFUKeDGwl1HPM2H78zlyGHWNEYv > SammV42RbOFe3feWUDohCU2V0uMyZcn2jz3HSNfzM1/B/JQ2dvsm3xv4KDCtkZdC > Prugken58eEK2T5s38QnN7JBhgHmvS3jB+X4IoN5eM3D8DabbTU78cGK8Z8He4pq > kzHae//wxS9vcQ3aWjSbUc/Jz+P32jNHYbBtqRcNxT2p8AWcysaEMEsSvDPT4X6t > 89II0Q0aHGX2TGQswKgWHtXuX00Qp7XL2T5mL3EaEXvM/BWMPMnxAEGocVLRbcl5 > TO3ewl/LVJEiGiL6hwj66FuNeIVlYkxHJ2ZQ8VM6NYu6TN96fLrbYxyBE3yNmcJj > DwVi2rwsTYtnFt4znaBOnNmAIwBNRa9z66Y04KXGcyaq+6i9D66J2Yh3NkuWwKfj > /8dBEST20BJB8+8KYX7F1cZt62hVQANYgaGqhFn+x3tMme5FClmK7obvBlMe6gJu > 5SGrV5qlobdhla78qT1T > =iqUV > -END PGP SIGNATURE- Ok, thank you very much for your help. Unfortunately I still have great difficulties to open up port 443 or 80 on an AppVM. I have read this comment on another thread from Alex Dubois saying : "A diagram in the wiki would help people understand. For now: A packet comming from the outside has a sourceIP of the workstation on the LAN that issued it or the router that routed the packet into your LAN and a destinationIP of your netVM externalIP (probably 192.168.0.x). The NetVM iptables rules are going to transform it to a packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM iptables rule are going to transform it to a packet with a desktinationIP of your AppVM (10.137.2.16)." I completely agree with him, a diagram would really help. I don't get why documentation
[qubes-users] Re: Problem on port forwarding to a VM from the outside world
Any help to configure sys-firewall would be also really appreciated. I got this annoying pop-up when I click on "Firewall rules" tab under the sys-firewall proxyVM settings : "The 'sys-firewall' AppVM is not network connected to a FirewallVM! You may edit the 'sys-firewall' VM firewall rules, but these will not take any effect until you connect it to a working Firewall VM." Only subject related to this problem I found is this message from Unman on Qubes-users group : "When you configure the firewall rules for a vm those rules are applied ON THE FIREWALL to which the vm is attached. So the error message you get is entirely accurate - your firewall is not attached to a firewall and so the rules cannot be applied. Of course you COULD configure a firewall between the fw and the netvm but the same consideration would apply to THAT fw. There's no reason why you cant configure the fw iptables by hand if you want to: you can use /rw/config/qubes-firewall-user-script to have these rules applied automatically." Ok so here's what I understand from this message : this proxyVM Firewall is probably working but rules don't apply because it is attached to a NetVM, which don't have any firewall policies by default. https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says : "Every VM in Qubes is connected to the network via a FirewallVM, which is used to enforce network-level policies. By default there is one default Firewall VM, but the user is free to create more, if needed." And then you got explanations on how to edit rules in a specific VM for a given domain. So I understand you have to edit rules on a AppVM to open up ports there, but I mean not everyone running Qubes OS is highly graduated in IT and network routing. I find quite disappointing that the official documentation don't mention more clearly how to set up the default sys-firewall proxyVM, like if you are supposed to check either "Deny network access except" or "Allow network access except" button or if that doesn't matter, if those policies won't apply anyway because of this pop-up... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7616133c-134c-41e4-99ac-1dc1b5508260%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
