Re: [qubes-users] I can't disable ipv6 on Debian Template
"An agenda against Qubes goal". Lol, that would been really arrogant because I joined Linux only 3 months ago and I have everything to learn. But if you want to talk about what Qubes provides, I have my opinion on the subject : Qubes greatest innovation is kinda making business of privacy rights, you can either consider it as a very offensive hacking tool platform, a Kali Linux best ally, a weapon which imo can do more harm than good, either a noob trap. That's obviously not the way I want the Internet to evolve, if you don't mind. As if posting here with this very friendly PRISM data collection provided by Google would make Qubes community trustworthy. What a joke. If M. Snowden would have used Qubes instead of Tails to make his revelations to everyone about global surveillance, he would probably be in jail right now. I guess vast majority of folks shocked about what his revelations showed would be really unhappy about that. So for people really considering privacy rights in an opened and a good manner way, you have Tails, and when it's time to discuss about security by default on a fresh new system, you have OpenBSD. Rest is just business and making profits under a license you currently don't own. Richard Stallman would be proud. Also when you can read on the Whonix FAQ https://www.whonix.org/wiki/FAQ#Why_aren.27t_you_using_OpenBSD.2C_it.27s_the_most_secure_OS_ever.21.21.211.21 this very arrogant statement "There is now Qubes OS, OpenBSD lacks such innovative security improvements, which claims.", you got another big joke right there. What makes the Internet still a little bit secured right now is coming directly from MIT and Unixmen that developed OpenSSH. I guess showing more respect for an OS that has been compromised like 2 times in 20 years and which policies are what the Internet world needs might help. But yeah, you can think of the Internet as a battleground, I don't really mind, it's not the way I see it. You have people concerned about building inoffensive fortresses or shields, to make sure Internet stays what it was at the very beginning (a space to provide educational content, to share ideas in a peaceful way) and you have people that use it as if it was a weapon. What a shame. So long Qubes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f6121585-274a-462e-908c-a847c100561c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I can't disable ipv6 on Debian Template
> Really ? No one to find also suspicious a wild init/1 tcp6 port listening > on your templateVM, right out of the box ? This got to be real. ... > I am answering you on my phone just because it seems my old Qubes deleted > partition doesn't like very much my USB key to runs over it, for some > reason. And this is pissing me off. ... > So let me rephrase : how do you completely remove Qubes OS from your hard > drive so that eventually it might still accept another OS install ? Fuck > this shit. ... > Btw on any decent OS you can clear your own partitions on installation > window and refresh your own disk without installing the OS. On Qubes you > can't. You are supposed to run the install to do so. And it seems the > install fucks your hardware next -.- ... Ummm, I think I'm tending to agree with Unman's suspicions: > and I wonder if it's a troll anyway, when I look at some of the > later comments. I deem thee a troll. An angry, foul-mouthed troll. Or someone who has an agenda against Qubes' goals. Either that, or you're in way over your head technology-wise and don't have the patience to work through it, even with a community trying to help you. I might suggest you go install Windows (or buy a tablet) and take out your anger elsewhere. Cheers JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4144e1e93b958945a74aedbb99685c7f.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I can't disable ipv6 on Debian Template
Hey, Really ? No one to find also suspicious a wild init/1 tcp6 port listening on your templateVM, right out of the box ? This got to be real. I am still interested in your solutions to quit Qubes OS and have another OS being able to run on my USB key and be installed, if you don't mind. I am answering you on my phone just because it seems my old Qubes deleted partition doesn't like very much my USB key to runs over it, for some reason. And this is pissing me off. So let me rephrase : how do you completely remove Qubes OS from your hard drive so that eventually it might still accept another OS install ? Fuck this shit. Btw on any decent OS you can clear your own partitions on installation window and refresh your own disk without installing the OS. On Qubes you can't. You are supposed to run the install to do so. And it seems the install fucks your hardware next -.- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4187ae87-4afc-437f-b26f-cf793b7f7f60%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I can't disable ipv6 on Debian Template
> What does "systemctl list-sockets" show? Any services that systemd is
> providing a listener for should be listed here.
If you do spot a network socket service in that listing, you can stop the
current service with "systemctl stop blah.socket", and disable it in the
future (next reboot or VM restart) with "systemctl disable blah.socket".
There's always the potential that it could be re-enabled in the future by
installing another package dependent upon that service. (That's bitten me
a couple of times.)
To block that from potentially happening, use "systemctl mask blah.socket"
and the service will stay off regardless of new dependencies.
("systemctl unmask" undoes the blocking. Go figure.)
Oh yeah, to have those commands truly "stick," you should run them from
the template, not the AppVM.
Slight digression (from JJ, no way?!?!?): There's a few config things like
this (e.g. /etc/fstab) that I really think should be (by default) symlinks
to /rw/config, so they could be tweaked on an per-appVM basis. (At risk
of a compromised VM being able to have more lasting hack-related effects
after a restart.)
It's easy enough to do in the template/appvm yourself, of course. e.g.:
# cp /etc/fstab /rw/config/fstab && ln -s /rw/config/fstab /etc/fstab
in the TemplateVM. You could similarly do that with any systemctl config
files that you need different on a per-appVM basis.
Cheers
JJ
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ad4e21c34c3cab74a369f046abeb277b.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I can't disable ipv6 on Debian Template
> Thank you guys for your help, but unfortunately I don't think there is a > way to get rid of this process listening on tcp6 on init (systemd... d > standing here for distant...). It is listed as 1 on PID, I don't think you > can't remove it, it is a main process. So I am not interested in using > Qubes anymore because I disapprove those bad policies on respect of > privacy. systemd listens on sockets on behalf of other services (and fires them up when a connection arrives, similar to "inetd" in days of old). What does "systemctl list-sockets" show? Any services that systemd is providing a listener for should be listed here. The configuration files that control such behavior could be shown with: > sudo find /usr/lib/systemd /etc/systemd -name '*.socket' This may also reveal useful information, but the above is probably sufficient: "sudo lsof -i -p 1" Cheers JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d78f57a37c459a66ba5cd74b4154a8c2.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I can't disable ipv6 on Debian Template
Hey, Thank you guys for your help, but unfortunately I don't think there is a way to get rid of this process listening on tcp6 on init (systemd... d standing here for distant...). It is listed as 1 on PID, I don't think you can't remove it, it is a main process. So I am not interested in using Qubes anymore because I disapprove those bad policies on respect of privacy. I don't want data to travel from my main template to Qubes servers without my consent and I don't like the fact someone might monitor what I am doing with my Debian template through ipv6. Really disappointing. Tbh at first I liked the fact that Qubes doesn't allow to be installed inside another OS, it looked like a nice security feature, but now that I can't clear completely my hard disk from Qubes hard drive protection, this is really annoying as I can't reinstall another OS on my hard drive. Any help on how to uninstall completely Qubes by removing the hard drive protection would be appreciated. I didn't find a way to do it in documentation. Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a1ca58ae-1237-4663-8e81-f9c3098e4d74%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I can't disable ipv6 on Debian Template
> nishiwak...@gmail.com: >> Hello, >> >> I am surprised that there is no way to disable ipv6 on Debian template. >> >> I reinstalled first the template using documentation >> https://www.qubes-os.org/doc/reinstall-template/ >> >> Then I added "net.ipv6.conf.all.disable_ipv6 = 1" in /etc/sysctl.conf, I >> did reboot the Template but it didn't change the outcome, I still had >> ipv6 ports opened using "netstat -antp" Did you try this: https://superuser.com/questions/575684/how-to-disable-ipv6-on-a-specific-interface-in-linux In /etc/sysconfig/network: NETWORKING_IPV6=no IPV6_AUTOCONF=no -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/409aa096350a6e082e11e79198ec.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I can't disable ipv6 on Debian Template
nishiwak...@gmail.com: > Hello, > > I am surprised that there is no way to disable ipv6 on Debian template. > > I reinstalled first the template using documentation > https://www.qubes-os.org/doc/reinstall-template/ > > Then I added "net.ipv6.conf.all.disable_ipv6 = 1" in /etc/sysctl.conf, I did > reboot the Template but it didn't change the outcome, I still had ipv6 ports > opened using "netstat -antp" > > I even added "sudo ip6tables -P INPUT DROP" in "/rw/config/rc.local", but I > still got those distant servers listening when I check using commands like > "sudo lsof -i6" or "netstat -antp" on my Debian Template. > > What is rpcbind, avahi-dae and why you got this ipv6 bound to systemd on PID > 1 ? Looks suspicious, I thought Ipv6 was disabled by default on Qubes. > > Regards > "all" never worked for me. Disable each interface separately as documented here: https://wiki.debian.org/DebianIPv6#How_to_turn_off_IPv6 `netstat -anltp` shows ports that are (L)istening. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5e1f765f-ee22-1752-69fc-6ff0f4e8c2d9%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I can't disable ipv6 on Debian Template
> I am surprised that there is no way to disable ipv6 on Debian template.
>
> I reinstalled first the template using documentation
> https://www.qubes-os.org/doc/reinstall-template/
>
> Then I added "net.ipv6.conf.all.disable_ipv6 = 1" in /etc/sysctl.conf, I
> did reboot the Template but it didn't change the outcome, I still had ipv6
> ports opened using "netstat -antp"
>
> I even added "sudo ip6tables -P INPUT DROP" in "/rw/config/rc.local", but
> I still got those distant servers listening when I check using commands
> like "sudo lsof -i6" or "netstat -antp" on my Debian Template.
I agree that IPV6 shouldn't be used; IPV4 works, and is simpler, and thus
potentially less vulnerable (less attack surface, yadda, yaada.) While
IPV6 isn't necessarily new, it still seems a bit "mysterious" to me. It's
certainly more complex, and complexity is no friend of security.
Why not just disable IPV6 ("ignore") in the Network Manager (in sys-net,
displayed on the taskbar in dom0, next to the Qubes Manager icon)?
If sys-net/NetworkManager has ipv6 disabled, no VM is going to get any
IPV6 packets through.
> What is rpcbind, avahi-dae
I also agree that avahi shouldn't be enabled. It is one of the first
things I disable in Qubes. It's a zeroconf/Bounjour thing. Not needed,
and more attack surface.
rpcbind is a portmapper thing, useful for NFS, and I'm not sure what else,
really. Another thing I also disable. (Probably like you, for security
reasons, I don't like seeing anything listening when I do a netstat.)
Also, this:
http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/
I should note that due to a lot of hacking/harassment, I'm a bit more
paranoid than your typical user.
While it's probably innocent, seeing things like this enabled by default
in a system always make me a bit less trusting of such a system; has an
NSA-tampering feeling to it. :)
(Similar to audio/pulseaudio enabled in sys-net/sys-firewall, the apparmor
extra-profiles not being included in Tails for some bizarre reason, and
the like.)
exim4, I believe, was also enabled by default in fedora-23/debian-8, which
makes little sense. If you want a mail server, set up a mail server,
don't have them running in every VM by default.
(As I mentioned in another post, I think there's an outstanding ticket to
eliminate unnecessary systemctl services in the debian and fedora
templates.)
> and why you got this ipv6 bound to systemd on
> PID 1 ? Looks suspicious, I thought Ipv6 was disabled by default on Qubes.
I've seem people diss systemd as being unnecessary complex and obscure,
and thus a bit of a risk for security. However, the dependency management
it provides is very powerful imho, and well worth it.
(I can't help but think the same startup dependency results couldn't have
been achieved with the "make" utility. Probably not quite as elegantly,
but without adding another new utility.)
You say you see ipv6 bound to systemd? Is it listening on a specific port
or anything?
Cheers
JJ
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/dd0a71c1168b8a19068ad1fd4e942a44.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.
