recreate firewall qube

[lik...@gmx.de]

Hi,

in case I messed up my firewall qube:

1. What's the best way to re-create it with default settings?
2. Since 7 months saltstack states for sys-* were updated to support disposable sys-*: https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/sys-firewall.sls
    a) is this part of v4.0.4?
    b) how could I use it if it's part of v4.0.4?

Thanks in advance!
P.

[unman]

On Fri, May 14, 2021 at 03:02:59PM +0100, lik...@gmx.de wrote:
> Hi,
>
> in case I messed up my firewall qube:
>
> 1. What's the best way to re-create it with default settings?
> 2. Since 7 months saltstack states for sys-* were updated to support disposable sys-*: https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/sys-firewall.sls

> ?????? a) is this part of v4.0.4?
> ?????? b) how could I use it if it's part of v4.0.4?
>
> Thanks in advance!
> P.
>

With salt? `qubesctl state.apply qvm.sys-firewall` should do it.

But sys-firewall is just a qube with networking enabled, "provides-network" set to True and
memory 500.

The states for disposable sys-* are in master, not in the 4.0 branch, so
not part of 4.0.4. No reason why you couldnt try backporting it into a
4.0

[lik...@gmx.de]

> With salt? `qubesctl state.apply qvm.sys-firewall` should do it.
>
> But sys-firewall is just a qube with networking enabled, "provides-network" set to True and
> memory 500.
>

Ok, maybe there's another issue. Currently I'm not able to expose a port to outside world (outside my qubes box) which was working 1/2 year ago but now it doesn't:
I've tried these scripts to do it:
- https://github.com/QubesOS/qubes-issues/issues/5693
(https://gist.github.com/fepitre/941d7161ae1150d90e15f778027e3248)
- https://github.com/QubesOS/qubes-issues/issues/4028
(https://github.com/niccokunzmann/qvm-expose-port)
- https://gist.github.com/jpouellet/d8cd0eb8589a5b9bf0c53a28fc530369

In my vm-to-be-exposed I used besides the service I actually want to expose the following:
- python3 -m http.server
- netcat -lv port

Connections in my local network to this AppVM using the IP of my qubes-NetVM all fail with a timeout. If I'm trying to connect from my qubes box to a simple ubuntu with an exposed port it works.

That's why my hypothesis was that I messed up my firewall qube.

Any ides how I could tackle down the problem?

[unman]

Have you read https://www.qubes-os.org/doc/firewall ?
What templates are you using for sys-net and sys-firewall?

Start at sys-net - you should have a rule directing inbound traffic to
<port> to sys-firewall.
Open a terminal in sys-net, and observe the counters in PRE-ROUTING and
FORWARD.
Attempt to make a connection - the counters should increment.

Do the same in sys-firewall.
Again, when you try to make a connection, you should see the counters
increment.

Do the same in the target qube. Here you should see the counter
increment in the filter chain.

Stepping down the network chain like this will help you identify where
your problem lies.

[lik...@gmx.de]

On 5/14/21 4:08 PM, unman wrote:

Thanks, these hints helped to find the reason: sleep-suspend somehow messes up sys-net. After restarting it, everything worked. Any idea which service I could restart instead of restarting the whole sys-net? Mess up of my wifi adapter I could "repair" by service wpa_supplicant restart. But iptable forward rules created by

- https://github.com/QubesOS/qubes-issues/issues/5693
(https://gist.github.com/fepitre/941d7161ae1150d90e15f778027e3248)

only work after a sys-net restart.

[unman]

I'm not familiar with that script but you **should** be able to rerun it
without harm.
(It should have been written to allow you to do this.)