ftp'ing to a computer on my LAN from an AppVM that is using a VPN proxyVM?

7 views
Skip to first unread message

Stumpy

unread,
Dec 11, 2020, 8:53:37 AM12/11/20
to Qubes users
Is there a way to ftp to another computer on my LAN from a appvm that is
using a proxyvm?

I am able to ftp to other computers when I set this appvm to just use
the default firewall, but sometimes I forget to set it back to use a vpn
vm; but if I have the appvm using the vpn/proxy vm then I am unable to
reach any of the other computers on my LAN?

Please advise

unman

unread,
Dec 11, 2020, 9:22:40 AM12/11/20
to Qubes users
Yes - you need to adjust the firewall rules on the vpn qube to direct
(ftp) traffic from the source ip to the local network - you could make
this *highly* specific by specifying the destination in the new rule.

What method are you using to set up the vpn?

Stumpy

unread,
Dec 12, 2020, 2:45:04 PM12/12/20
to unman, Qubes users
pardon my ignorance but how would I do that? I know it would be in
settings -> firewall settings but after that it gets a bit fuzzy?

> What method are you using to set up the vpn?
>

I used the new community vpn setup

unman

unread,
Dec 12, 2020, 9:17:19 PM12/12/20
to Qubes users
Well, you cant do it there, because you need to adjust the firewall
rules implemented ON the vpn qube.

>
> > What method are you using to set up the vpn?
> >
>
> I used the new community vpn setup
>

Right - but there are 2 methods outlined on that github page (if that's what
you mean by community vpn) - 3 if you include "vpn on sys-net". Did you
follow the "iptables and CLI scripts" section?

There's an added issue that you will have to consider and that is the
nature of FTP connections - when a client connects to a server, the
server may create a link back to a port specified in the original
connection: this is non-passive(active) ftp. If your FTP server does
this then you will have to enable a route through to the client qube.

The client may instead send a PASV command - then the server *may* send
back a listening port number, and the client will create a link to that
port.

So there are 4 possibilities, and the firewall rules you need will
depend on what are the capabilities of the server. Best check on that.


Stumpy

unread,
Dec 16, 2020, 11:11:51 AM12/16/20
to qubes...@googlegroups.com
Thanks unman,
I used the Qubes OS contributed package "qubes tunnel".
I am not sure about my server, is there a "standard" way to check that?
(the server is running unraid, which is/was based on slackware so am
hoping there might be a way to check that would work on most distros?).

For the iptables and cli scripts part, would that still apply to using
the "qubes tunnel" setup option?
Reply all
Reply to author
Forward
0 new messages