There are two main ways to add firewall rules to a proxyVM: Via VM
settings of a downstream VM (appVM), and via a script in the proxyVM
itself at /rw/config/qubes-firewall-user-script.
The former is limited but has a convenient GUI in VM Settings dialog
(also qvm-firewall). The rules for each appVM get transferred to the
connected proxyVM. (If you are trying to use qvm-firewall to add rules
to the proxyVM and not the appVM, that may be your mistake.)
The second method is very flexible but requires a little study of the
proxyVM's default internal firewall configuration before adding your own
rules in the script.
Another, third way is to have a program like openvpn run a script when
the link goes up.
There are good examples which actually handle DNS addresses in the Qubes
VPN doc[1], the Qubes-vpn-support project[2] and also in the script
found at /usr/lib/qubes/qubes-setup-dnat-to-ns. These scripts use dnat
rules to convert DNS requests to use a particular DNS address, although
in your case you might want to leave '-d' as 'any' instead of specifying
an address.
Note that the second link below is easy to setup and the 'qubes-vpn-ns'
script accepts DHCP-generated variables from openvpn and automatically
uses them to setup dnat.
[1]
https://www.qubes-os.org/doc/vpn/
[2]
https://github.com/tasket/Qubes-vpn-support/tree/qubes4
--
Chris Laprise,
tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886