Re: [qubes-users] Re: HELP: TemplateVM's have lost internet access
Thank you for the reply Unman. You might be right about them never having internet access. Because dnf & yum works, i think i assumed the internet work. The reason i actually found this issues, was because i was ping testing, trying to solve a problem i was having setting up a VPN ProxyVM. (See this thread i just posted) https://groups.google.com/forum/#!topic/qubes-users/T0wbCuIgISg When i found the templates couldnt ping the internet, it sent me down this path trying to trouble shoot. I can still dnf yum etc now even while on sys-firewall. So we can consider this "issue" solved. Thank you Unman & Drew. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c56c6ad4-87d4-4bdf-9590-a2ddcb6dd00d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: HELP: TemplateVM's have lost internet access
On Wed, Nov 09, 2016 at 03:00:13AM -0800, SEC Tester wrote: > Hey Drew, Cheers for the reply. > > It wasn't possible to 100% follow your instructions; > > In "Global settings" it doesn't seem possible to set the default "netVM" to > "none". It only lists choices of netVM or ProxyVMs. I left it set to > "sys-firewall". > > I followed the rest of your instructions. Deleted the sys-net VM, created a > new one. > > re-assigned the network adapter with qvm-pci -a > > when setting sys-net as default netVM, the templates can ping the Internet. > BUT shouldnt i keep everything proxied through sys-firewall? > > Or is there some reason the templates cant go through the sys-firewall? and > must go through sys-net? > > It seems more clear at this point the sys-firewall is responsible for > stopping the templates internet. But i dont know why? > > I could set the template netVM to sys-net, but would prefer to solve this if > possible? > > Look forward to your reply. > I think that you should look at the docs - in particular this page: https://www.qubes-os.org/doc/software-update-vm/ and check the sections on "allowing networking for software update" and "Updates proxy". By default templates are prohibited from accessing the internet except via the update proxy. This is a security measure. If a template is compromised then all qubes based on it will be compromised. The default setup is a small step toward providing some protection. It restricts access from a template to the update proxy service running on the upstream proxyVM, in your case sys-firewall. Drew's advice addresses another issue - not yours. I don't believe that the templates would ever have had internet access. You say that you need internet access to install software: you can either temporarily allow access as detailed on the above page - not advisable because of a bug that doesn't then reset the firewall rules, so "temporarily" is a complete misnomer - OR access the software source in a qube and then copy it across to the template. Perhaps I've misunderstood your problem. If so, apologies. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161109113650.GA27762%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: HELP: TemplateVM's have lost internet access
Hey Drew, Cheers for the reply. It wasn't possible to 100% follow your instructions; In "Global settings" it doesn't seem possible to set the default "netVM" to "none". It only lists choices of netVM or ProxyVMs. I left it set to "sys-firewall". I followed the rest of your instructions. Deleted the sys-net VM, created a new one. re-assigned the network adapter with qvm-pci -a when setting sys-net as default netVM, the templates can ping the Internet. BUT shouldnt i keep everything proxied through sys-firewall? Or is there some reason the templates cant go through the sys-firewall? and must go through sys-net? It seems more clear at this point the sys-firewall is responsible for stopping the templates internet. But i dont know why? I could set the template netVM to sys-net, but would prefer to solve this if possible? Look forward to your reply. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a91ef7ff-6f92-450b-bf7c-7c7685db8338%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: HELP: TemplateVM's have lost internet access
On Wednesday, 9 November 2016 15:47:45 UTC+11, SEC Tester wrote: > UPDATE: > > I just ran qvm-revert-template-changes fedora-23 > > Unfortunately still not able to ping out to the internet from templateVM. > > Could sys-firewall config be causing this? I havent even played with those > settings tho. And don't forget to re-assign the NIC to the NetVM. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/855979b3-26f8-460a-a077-765e1e1ac68d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: HELP: TemplateVM's have lost internet access
On Wednesday, 9 November 2016 15:47:45 UTC+11, SEC Tester wrote: > UPDATE: > > I just ran qvm-revert-template-changes fedora-23 > > Unfortunately still not able to ping out to the internet from templateVM. > > Could sys-firewall config be causing this? I havent even played with those > settings tho. There are different things that can cause this. At some points, just re-creating the NetVM will cure the issue. So in global settings, set there to be no default NetVM. Then unset the NetVM from any Guests. Then delete it and re-create it. Then reassign it as default. That cures mine WHEN it happens, which is rare to see any more, but it does happen. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/520c31ea-69ae-4666-b747-a9e78a89fc5a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: HELP: TemplateVM's have lost internet access
UPDATE: I just ran qvm-revert-template-changes fedora-23 Unfortunately still not able to ping out to the internet from templateVM. Could sys-firewall config be causing this? I havent even played with those settings tho. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/271a254c-3d9d-4949-b84e-7384f25bab58%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
