Little pb to understand how to add a FW rule on my proxyVM

44 views
Skip to first unread message

ThierryIT

unread,
Mar 1, 2018, 3:08:12 AM3/1/18
to qubes-users
Hi,

I have configure the proxyVM with rules for http, https, smtp and ntp.
I have understood that for the DNS (who is not working anymore) I have to use from dom0 : qvm-firewall ...

I want to oblige all the VMs to use only "OpenVPN" as DNS.

I did :

qvm-firewall vmname add rule --dns=208.67.222.222 and many other combinations ... It do not accept any of my rules ... Mistakes from my side but from where ?

Second question, is there any possibility to find example of how to make a proper FW with rules example under Qubes ?

Thx

Chris Laprise

unread,
Mar 1, 2018, 5:29:30 AM3/1/18
to ThierryIT, qubes-users
There are two main ways to add firewall rules to a proxyVM: Via VM
settings of a downstream VM (appVM), and via a script in the proxyVM
itself at /rw/config/qubes-firewall-user-script.

The former is limited but has a convenient GUI in VM Settings dialog
(also qvm-firewall). The rules for each appVM get transferred to the
connected proxyVM. (If you are trying to use qvm-firewall to add rules
to the proxyVM and not the appVM, that may be your mistake.)

The second method is very flexible but requires a little study of the
proxyVM's default internal firewall configuration before adding your own
rules in the script.

Another, third way is to have a program like openvpn run a script when
the link goes up.

There are good examples which actually handle DNS addresses in the Qubes
VPN doc[1], the Qubes-vpn-support project[2] and also in the script
found at /usr/lib/qubes/qubes-setup-dnat-to-ns. These scripts use dnat
rules to convert DNS requests to use a particular DNS address, although
in your case you might want to leave '-d' as 'any' instead of specifying
an address.

Note that the second link below is easy to setup and the 'qubes-vpn-ns'
script accepts DHCP-generated variables from openvpn and automatically
uses them to setup dnat.


[1] https://www.qubes-os.org/doc/vpn/
[2] https://github.com/tasket/Qubes-vpn-support/tree/qubes4

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

ThierryIT

unread,
Mar 1, 2018, 8:32:59 AM3/1/18
to qubes-users
Thx ... I am going to do my homework now :)

Chris Laprise

unread,
Mar 1, 2018, 5:27:59 PM3/1/18
to ThierryIT, qubes-users
> Thx ... I am going to do my homework now :)
>

Today's update of Qubes-vpn-support now handles DNS similar to what
you're describing: All DNS requests are redirected to the VPN DNS, but
still allowing for use of a secondary VPN DNS address if one is provided
(e.g. the last pair of rules do not use -d).

If you decide to use it you may not have to research any further.
Reply all
Reply to author
Forward
0 new messages