Firewall entry limit in Qubes VM Manager?
40 views
Skip to first unread message
Qubed One
Aug 15, 2015, 3:07:55 PM8/15/15
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi, is there an upper limit to the number of entries under the firewall
tab in Qubes VM Manager?
When I try to start a vm in Qubes 3rc2 with too many entries allowed,
denying the
rest, I get the attached error.
The vm is working with roughly three dozen entries now.
The same error is presented with both app-vms and proxy-vms.
Thanks in advance!
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJVz43wXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2N0FGNkY4NTIxMzYxNjI1REE1MjY1QTcw
MUNBRjYzOTFBQkM0OTgzAAoJEAHK9jkavEmD6AoQALo625Y2R7C7Dw0erNkEiG5V
tSUQNOMf9kxec8k1KSVDL0SCd1OE2QyKfsNr8MDgn7JJ3/no9clsp75IuKKq2tLT
POgHHmUaDgbMse5e+hCZ4T8bCN7QNalm/pKS2Jyqmhg4rAxcMlSsPiNsu9V6+R6R
TYtIliwNibzNJ1gDUvSwyDH7VbB79cLjZcR69I7RxQOzXT4VUdOaZEvzR0NEUUKI
Jqyz/rpqLIb8NgvznAkJN+iqQSuR26ITsu2ljIWX7xcU45OpDjOoELwlZ6ly2tRL
uInrw0PklAK8GRG0LLiY5eWF3eUgLa1QadA2BTwac2clehl5p8rbyu/427JW+ZRI
B4vd3dn6EqYqWY4JpAW/2CT1ubthCjIfdy6XV5ixx6jVF8S1i+747MxbBIvtSsKb
dm2kIujPkhhOxSsPvBOV6MJFGLsskhko7hopYOzSX+FZ8RjytR3V7GFbtrBGlhJn
P5lGpP8/pQUKPql28FmFRnthi9DgJ5zUA1W0kcC/0AqD94yhhpQ4tXSMloctr+cU
HxZsuP/ymyPfV3X+E1hNyAYavMo1LzUsB6GkNYo2/frVkkLkekLEtxCkWuQ8zj1R
XIQ6/faZh4INpyEBZEGgJky2I0eCuYSCLnC9dCJ5HlZmviiJBDyhCzzp16tp3xGR
t/KZf41GUC8ISzFky9ZQ
=gL2m
-----END PGP SIGNATURE-----
Unman
Aug 17, 2015, 6:00:46 PM8/17/15
to Qubed One, qubes...@googlegroups.com
Interestingly, if you try with more, the fw seems to have the full
iptables rules written, but the VM never completes startup as you've
discovered.
Marek Marczykowski-Górecki
Aug 25, 2015, 10:54:51 PM8/25/15
to Unman, Qubed One, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Aug 17, 2015 at 11:00:44PM +0100, Unman wrote:
> On Sat, Aug 15, 2015 at 07:07:36PM +0000, Qubed One wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > Hi, is there an upper limit to the number of entries under the firewall
> > tab in Qubes VM Manager?
> >
> > When I try to start a vm in Qubes 3rc2 with too many entries allowed,
> > denying the
> > rest, I get the attached error.
> >
> > The vm is working with roughly three dozen entries now.
> >
> > The same error is presented with both app-vms and proxy-vms.
> >
> > Thanks in advance!
>
will rework that firewall mechanism in Qubes 4.0, but until then you can
use `qubes-firewall-user-script`[1] as a workaround - VM IPs are static
(and protected against spoofing) so it should be rather easy to add
additional rules there.
[1] https://www.qubes-os.org/doc/UserDoc/ConfigFiles/
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJV3Sp0AAoJENuP0xzK19csERkH/3jnsIxzv6QfzNYrmkwpVPtS
ARR0XfBLux0Wl0JjoTvopdAL4fQDqlQK3QetitmIp7komQ3POso1k240Xo1Q8dvC
TiK/EWR1B1DFjh4p+cOxxL9rg8iYOrL3wTkrdTMPc/Wi/pSKRe4X6+faLLfZaaL+
q6gwt5EoAA9UmyFkVIl5sza4Ul/y5xp/rIn8pwPQk7sUoaxKtv5umR0eHGOptKjl
Rpv0VvkEDZ8BIN5Iqy7tVdUVvslNaV4sGbBREjfyBJyQTG/fuwwZMHRrsHpy0N/9
8JXkd766df1TKS+Olc22kyGwYpSI5snIOUdY9azefCpo+SlRSLoTWT5oQfNJpxk=
=X83N
-----END PGP SIGNATURE-----
Hash: SHA256
On Mon, Aug 17, 2015 at 11:00:44PM +0100, Unman wrote:
> On Sat, Aug 15, 2015 at 07:07:36PM +0000, Qubed One wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > Hi, is there an upper limit to the number of entries under the firewall
> > tab in Qubes VM Manager?
> >
> > When I try to start a vm in Qubes 3rc2 with too many entries allowed,
> > denying the
> > rest, I get the attached error.
> >
> > The vm is working with roughly three dozen entries now.
> >
> > The same error is presented with both app-vms and proxy-vms.
> >
> > Thanks in advance!
>
> You're running very close to the limit, which is, I think, 39.
> Interestingly, if you try with more, the fw seems to have the full
> iptables rules written, but the VM never completes startup as you've
> discovered.
Maximum is 3kb of iptables script, which is indeed about 39 rules. We
> Interestingly, if you try with more, the fw seems to have the full
> iptables rules written, but the VM never completes startup as you've
> discovered.
will rework that firewall mechanism in Qubes 4.0, but until then you can
use `qubes-firewall-user-script`[1] as a workaround - VM IPs are static
(and protected against spoofing) so it should be rather easy to add
additional rules there.
[1] https://www.qubes-os.org/doc/UserDoc/ConfigFiles/
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJV3Sp0AAoJENuP0xzK19csERkH/3jnsIxzv6QfzNYrmkwpVPtS
ARR0XfBLux0Wl0JjoTvopdAL4fQDqlQK3QetitmIp7komQ3POso1k240Xo1Q8dvC
TiK/EWR1B1DFjh4p+cOxxL9rg8iYOrL3wTkrdTMPc/Wi/pSKRe4X6+faLLfZaaL+
q6gwt5EoAA9UmyFkVIl5sza4Ul/y5xp/rIn8pwPQk7sUoaxKtv5umR0eHGOptKjl
Rpv0VvkEDZ8BIN5Iqy7tVdUVvslNaV4sGbBREjfyBJyQTG/fuwwZMHRrsHpy0N/9
8JXkd766df1TKS+Olc22kyGwYpSI5snIOUdY9azefCpo+SlRSLoTWT5oQfNJpxk=
=X83N
-----END PGP SIGNATURE-----
Qubed One
Aug 26, 2015, 1:23:20 PM8/26/15
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 08/26/2015 02:54 AM, Marek Marczykowski-Górecki wrote:
> On Mon, Aug 17, 2015 at 11:00:44PM +0100, Unman wrote:
>> On Sat, Aug 15, 2015 at 07:07:36PM +0000, Qubed One wrote:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
>>>
>>> Hi, is there an upper limit to the number of entries under the
>>> firewall tab in Qubes VM Manager?
>>>
>>> When I try to start a vm in Qubes 3rc2 with too many entries
>>> allowed, denying the rest, I get the attached error.
>>>
>>> The vm is working with roughly three dozen entries now.
>>>
>>> The same error is presented with both app-vms and proxy-vms.
>>>
>>> Thanks in advance!
>
>> You're running very close to the limit, which is, I think, 39.
>> Interestingly, if you try with more, the fw seems to have the
>> full iptables rules written, but the VM never completes startup
>> as you've discovered.
>
> Maximum is 3kb of iptables script, which is indeed about 39 rules.
> We will rework that firewall mechanism in Qubes 4.0, but until then
> you can use `qubes-firewall-user-script`[1] as a workaround - VM
> IPs are static (and protected against spoofing) so it should be
> rather easy to add additional rules there.
>
> [1] https://www.qubes-os.org/doc/UserDoc/ConfigFiles/
>
>
Good to know. Thanks!
> On Mon, Aug 17, 2015 at 11:00:44PM +0100, Unman wrote:
>> On Sat, Aug 15, 2015 at 07:07:36PM +0000, Qubed One wrote:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
>>>
>>> Hi, is there an upper limit to the number of entries under the
>>> firewall tab in Qubes VM Manager?
>>>
>>> When I try to start a vm in Qubes 3rc2 with too many entries
>>> allowed, denying the rest, I get the attached error.
>>>
>>> The vm is working with roughly three dozen entries now.
>>>
>>> The same error is presented with both app-vms and proxy-vms.
>>>
>>> Thanks in advance!
>
>> You're running very close to the limit, which is, I think, 39.
>> Interestingly, if you try with more, the fw seems to have the
>> full iptables rules written, but the VM never completes startup
>> as you've discovered.
>
> Maximum is 3kb of iptables script, which is indeed about 39 rules.
> We will rework that firewall mechanism in Qubes 4.0, but until then
> you can use `qubes-firewall-user-script`[1] as a workaround - VM
> IPs are static (and protected against spoofing) so it should be
> rather easy to add additional rules there.
>
> [1] https://www.qubes-os.org/doc/UserDoc/ConfigFiles/
>
>
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJV3fYRXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2N0FGNkY4NTIxMzYxNjI1REE1MjY1QTcw
MUNBRjYzOTFBQkM0OTgzAAoJEAHK9jkavEmDox8P/1xSWKiE03jFskRhBHOpuD07
Nrs8kBRmz8McdIYq37Yf32uKrz7CV9Ib+tsHvOA4p0vKiJyn1i6zi43LCdWiHjuv
vFVWUMDiI/j45v2ytoY1zGpZSpDB5z8Wz7csnuaLw6ikkmcjFHeB6a/Ubvmq9JBR
lfKsNURxE1FKa4N4Rl9037dK0CMeRx1TNIn6qQ+yXskE1lKjSDXd4+OApBtWTJgg
qBTeTJlCORodjDWBizS8QXE7Pzq8H1b48TQ4O+nq8e5RaFt41YkpCwh5zBgGqPip
xz78B7BScuaFUjOUATmyMMZTshtp20QDV1zRBlwANN6N9NDjfXedtlY//2DSkgKc
RoKgRfmftu3rTQnfxTx7hTUwBda6Wbjfbu8jXMSi4tAHV6PZH0rI0UzDtezwRm08
XnLPjwri3l7bvo1WftwllDPoMhu1yC5veW+h1CWTaNaIUxIS+icBCNpHx+5EWMMP
Jm3s1Lu5u6jN5qDUPXNWeb4G341rm1PDxrjVJGYBidNpTBg431/EmRXrNKP6t8kF
1OojedY/2TUeY60qK+JEYZAemTr3WeNY5SHuMH+KFwakmHZ26Mt45ZM+m8OiZKGn
hWKDHzzXa7mITYcHTfNLhPyKDe3leJAHHKKoH+dgAUZfj0gMalPnmaWnW12VR4Uz
cdGUVl5+Yysm0BBEEbDX
=Xcjp
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages