TEST RESULTS:
Test No1
From fw - ping openFW -- successful
Test No2
ping 8.8.8.8 - use 'iptables -L -nv' to watch traffic in and out. Ping result = "Network was unreachable"
Output from 'iptables -L -nv':
user@fw:~$ sudo iptables -L -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- vif+ *
0.0.0.0/0 0.0.0.0/0 tcp dpt:8082
0 0 DROP udp -- vif+ *
0.0.0.0/0 0.0.0.0/0 udp dpt:68
30 2344 ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- vif+ *
0.0.0.0/0 0.0.0.0/0
4 208 ACCEPT all -- lo *
0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- vif+ *
0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP all -- * *
0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- vif+ vif+
0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 QBS-FORWARD all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- vif+ vif+
0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- vif+ *
0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * *
0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 34 packets, 2552 bytes)
pkts bytes target prot opt in out source destination
Chain QBS-FORWARD (1 references)
pkts bytes target prot opt in out source destination
I cant see any reference to '-t nat' or '-t raw'. So I double checked '/rw/config/qubes-firewall-user-script'. Output as follows:
#!/bin/sh
# This script is called in AppVMs after every firewall update (configuration
# change, starting some VM etc). This is a good place to write own custom
# firewall rules, in addition to autogenerated ones. Remember that in most cases
# you'll need to insert the rules at the beginning (iptables -I) for it to be
# effective.
iptables -I FORWARD -i vif+ -o vif+ -j ACCEPT
iptables -t raw -I PREROUTING -i vif13.0 -j ACCEPT
iptables -t nat -I PR-QBS -p udp --dport 53 -j DNAT --to 9.9.9.9
Test No3
on openFW:
tcpdump -i <iface>
submitting to you the recorded test data from OPENBSD's xterm is a real problem for a BSD novice like me. I tried and failed with your earlier suggestion vis 'you could always have booted the
openBSD qube with a USB attached, and transferred the files that way.
Like a sneakernet but smaller scale - a fingernet?'
I could summarise the result of tcdump -i xnf0 as follows: (10.137.0.10 = ip of openFW, 10.137.0.11 = ip of fw, 10.64.0.1 is the primary DNS from a router)
10.137.0.10 >
10.137.0.11: icmp : echo request (DF)
arp who-has 10.137.0.11 tell 10.137.0.10
arp reply 10.137.0.11 is-at fe:ff blah blah
10.137.0.10 >
10.137.0.11: icmp: echo reply (DF)
arp who-has 10.64.0.1 tell 10.137.0.1