Re: [qubes-users] Possible to add second interface to sys-firewall?

2017-10-06 Thread Mike Keehan 
On Fri, 6 Oct 2017 10:20:18 -0400
Ed  wrote:

> What I would like to do is add a second IP to both sys-firewall and 
> sys-net so that I can NAT traffic from one of my VM's in/out through 
> these IP's.  So what I end up with is two IP's on sys-net, one
> handling all the traffic for most of my VM's, the other handling
> traffic for one specific VM.  This way I can do additional firewall
> restrictions on this VM in my networks.
> 
> If I manually add the IP addresses to sys-net and sys-firewall,
> manually add the destination NAT and source NAT rules to both as
> well, then manually add a route in sys-net, and also force another
> rule into the IPTABLES raw table on sys-net (to override a rule added
> by /etc/xen/scripts/vif-routes-qubes which restricts all incoming
> traffic from sys-firewall to the IP assigned by qubes to the default
> interface), then I'm able to make this work.
> 
> However, this is very finicky and totally unscriptable in this 
> configuration, and I'd really like this to be something auto
> configured on boot.
> 
> I've look and looked and don't see where I can add a second interface 
> definition to any config files.  If I manually edit the xen 
> sys-firewall.conf file it just gets overwitten by qubes.  I can do
> all the iptables rules I need in the /rw/config scripts, but what I
> really need is for sys-firewall to add another virtual interface for
> me.
> 
> I tried running: sudo xl network-attach sys-firewall 
> script=/etc/xen/scripts/vif-route-qubes ip=10.150.10.10
> backend=sys-net This will add the interface and setup sys-net with
> the correct routes and rules, HOWEVER, the interface that it adds to
> sys-firewall has the same IP as the existing interface which breaks
> all the traffic going out of sys-firewall
> 
> Has anyone ever had any success doing something like this?
> 
> Any suggestions out there?
> 
> Thanks,
> Ed
> 

Wouldn't it be possible to add a second Firewall VM to be used solely
by your special single vm?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171006171022.71d8c133.mike%40keehan.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Possible to add second interface to sys-firewall?

2017-10-06 Thread Ed 
What I would like to do is add a second IP to both sys-firewall and 
sys-net so that I can NAT traffic from one of my VM's in/out through 
these IP's.  So what I end up with is two IP's on sys-net, one handling 
all the traffic for most of my VM's, the other handling traffic for one 
specific VM.  This way I can do additional firewall restrictions on this 
VM in my networks.


If I manually add the IP addresses to sys-net and sys-firewall, manually 
add the destination NAT and source NAT rules to both as well, then 
manually add a route in sys-net, and also force another rule into the 
IPTABLES raw table on sys-net (to override a rule added by 
/etc/xen/scripts/vif-routes-qubes which restricts all incoming traffic 
from sys-firewall to the IP assigned by qubes to the default interface), 
then I'm able to make this work.


However, this is very finicky and totally unscriptable in this 
configuration, and I'd really like this to be something auto configured 
on boot.


I've look and looked and don't see where I can add a second interface 
definition to any config files.  If I manually edit the xen 
sys-firewall.conf file it just gets overwitten by qubes.  I can do all 
the iptables rules I need in the /rw/config scripts, but what I really 
need is for sys-firewall to add another virtual interface for me.


I tried running: sudo xl network-attach sys-firewall 
script=/etc/xen/scripts/vif-route-qubes ip=10.150.10.10 backend=sys-net 
This will add the interface and setup sys-net with the correct routes 
and rules, HOWEVER, the interface that it adds to sys-firewall has the 
same IP as the existing interface which breaks all the traffic going out 
of sys-firewall


Has anyone ever had any success doing something like this?

Any suggestions out there?

Thanks,
Ed

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/or83er%24efc%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.