Re: [qubes-users] is it possible to have two sys-net for one firewall vm?
On Mon, Jul 22, 2019 at 11:40:54PM -0700, alain.cor...@gmail.com wrote: > Hello Unman, > Thanks for your answer. > Yes it is in fact to separate traffic. It is an security requirement. > I've differents use cases in my project, others including port forwarding, > DNAT and filter iptables, for that it's OK. > But when i want create 2 sys-net for 1 firewall, the second sys-net don't > have vif interface and so, I can't reach him from firewall. > Is there a solution to add vif interface manualy? > Thanks > alain > Le lundi 22 juillet 2019 17:44:11 UTC+2, unman a ??crit : > > > > On Mon, Jul 22, 2019 at 07:51:32AM -0700, alain...@gmail.com > > wrote: > > > hello, > > > I use Qubes-os 4 on a computer which provides 2 ethernet intefaces. For > > my > > > project iI need to separate these 2 interfaces (sys-net1, sys-net2). But > > i > > > have to use only 1 firewall on which the 2 sys-net would be linked. > > > Is it possible? > > > I don't find the solution for the moment. One of these 2 sys-net is > > created > > > without vif interface... > > > Thanks a lot! > > > Alain > > > > > > > hello Alain > > > > Can you explain why you only want to have one sys-firewall? It would be > > much cleaner to separate the traffic completely. > > > > It *is* possible to do what you want, but you need to play with the Qubes > > networking model, and manipulate NAT and routing on the sys-firewall. > > In particular, you will need to attach sys-net2 as a client to > > sys-firewall, and follow the procedures for allowing inter qube traffic. > > > > I've posted on this before. If you need some pointers, give some > > more detail on your setup and needs, (and level of knowledge), and I'll > > try to help. > > > > unman Hello Alain, Please don't top post. What you can do is this: Net1-sys-net1 | sys-firewall | | Net2-sys-net2 qube sys-net2 has sys-firewall as netvm. Attach NIC to sys-net2. On sys-firewall you put custom rules that allow traffic between qube and sys-net2. You also need to set routing correctly, modify raw table to allow inbound traffic from Net2 on the sys-net2 vif. If done right no configuration is needed on client qubes. (You will, of course, need nat and filter rules on sys-net2 also.) I do this to use openBSD HVMs as netVMs, and it works fine. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190726135054.qt6xwonon3th42da%40thirdeyesecurity.org.
Re: [qubes-users] is it possible to have two sys-net for one firewall vm?
Hello Unman, Thanks for your answer. Yes it is in fact to separate traffic. It is an security requirement. I've differents use cases in my project, others including port forwarding, DNAT and filter iptables, for that it's OK. But when i want create 2 sys-net for 1 firewall, the second sys-net don't have vif interface and so, I can't reach him from firewall. Is there a solution to add vif interface manualy? Thanks alain Le lundi 22 juillet 2019 17:44:11 UTC+2, unman a écrit : > > On Mon, Jul 22, 2019 at 07:51:32AM -0700, alain...@gmail.com > wrote: > > hello, > > I use Qubes-os 4 on a computer which provides 2 ethernet intefaces. For > my > > project iI need to separate these 2 interfaces (sys-net1, sys-net2). But > i > > have to use only 1 firewall on which the 2 sys-net would be linked. > > Is it possible? > > I don't find the solution for the moment. One of these 2 sys-net is > created > > without vif interface... > > Thanks a lot! > > Alain > > > > hello Alain > > Can you explain why you only want to have one sys-firewall? It would be > much cleaner to separate the traffic completely. > > It *is* possible to do what you want, but you need to play with the Qubes > networking model, and manipulate NAT and routing on the sys-firewall. > In particular, you will need to attach sys-net2 as a client to > sys-firewall, and follow the procedures for allowing inter qube traffic. > > I've posted on this before. If you need some pointers, give some > more detail on your setup and needs, (and level of knowledge), and I'll > try to help. > > unman > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/57f39d06-5f46-4402-9cd1-ba44ab8d4b0b%40googlegroups.com.
Re: [qubes-users] is it possible to have two sys-net for one firewall vm?
On Mon, Jul 22, 2019 at 07:51:32AM -0700, alain.cor...@gmail.com wrote: > hello, > I use Qubes-os 4 on a computer which provides 2 ethernet intefaces. For my > project iI need to separate these 2 interfaces (sys-net1, sys-net2). But i > have to use only 1 firewall on which the 2 sys-net would be linked. > Is it possible? > I don't find the solution for the moment. One of these 2 sys-net is created > without vif interface... > Thanks a lot! > Alain > hello Alain Can you explain why you only want to have one sys-firewall? It would be much cleaner to separate the traffic completely. It *is* possible to do what you want, but you need to play with the Qubes networking model, and manipulate NAT and routing on the sys-firewall. In particular, you will need to attach sys-net2 as a client to sys-firewall, and follow the procedures for allowing inter qube traffic. I've posted on this before. If you need some pointers, give some more detail on your setup and needs, (and level of knowledge), and I'll try to help. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190722154408.2yhg4py4de27ia7r%40thirdeyesecurity.org.
[qubes-users] is it possible to have two sys-net for one firewall vm?
hello, I use Qubes-os 4 on a computer which provides 2 ethernet intefaces. For my project iI need to separate these 2 interfaces (sys-net1, sys-net2). But i have to use only 1 firewall on which the 2 sys-net would be linked. Is it possible? I don't find the solution for the moment. One of these 2 sys-net is created without vif interface... Thanks a lot! Alain -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c3ce4eda-2ee4-4ff5-9f41-db25cdc42cdd%40googlegroups.com.
