Problem on port forwarding to a VM from the outside world

[nishi...@gmail.com]

Hello,

I followed the documentation on this page https://www.qubes-os.org/doc/qubes-firewall/ ("Port forwarding to a VM from the outside world" paragraph), but I didn't managed to open the 443 https port on a TemplateVM.

I am trying to configure an apache2 server on a TemplateVM based on Linux Kali distribution (to learn how to host my first website :))

I think I did no mistakes while replacing IP adress examples from the scripts with my sys-net local IP adress and sys-firewall IP adress, but I don't understand everything. On all of them, am I supposed to replace "MY-HTTPS" service with with the IP adress of the TemplateVM, with something like "apache2" or eventually with "ssh" to make it work please ? I don't really get what "service" refers to here.

Also I would like to know if XXX.XXX.XXX.XXX/24 IP adress is different from a standard XXX.XXX.XXX.XXX IP without the "/24", because I noticed the person who wrote this guide put 192.168.X.0/24 but not everywhere so I don't really know if I am correct not reversing the last 2 terms t_t
But I guess I don't have to since "/sbin/ifconfig" adress is static.

I also would like to know if I can deny network access on my sys-firewall proxy VM with these exceptions :
192.168.X.X/24 (local adresss)
XXX.XXX.XXX.XXX/443 (IP adress of the TemplateVM on where apache2 server is running)

When I type "netstat -antp" in the TemplateVM terminal I don't see any 443 port listening atm :(

Any help would be really appreciated !
Regards

[nishi...@gmail.com]

Any help to configure sys-firewall would be also really appreciated. I got this annoying pop-up when I click on "Firewall rules" tab under the sys-firewall proxyVM settings :

"The 'sys-firewall' AppVM is not network connected to a FirewallVM!

You may edit the 'sys-firewall' VM firewall rules, but these will not take any effect until you connect it to a working Firewall VM."

Only subject related to this problem I found is this message from Unman on Qubes-users group :

"When you configure the firewall rules for a vm those rules are applied ON THE FIREWALL to which the vm is attached. So the error message you get is entirely accurate - your firewall is not attached to a firewall and so the rules cannot be applied. Of course you COULD configure a firewall between the fw and the netvm but the same consideration would apply to THAT fw.
There's no reason why you cant configure the fw iptables by hand if you want to: you can use /rw/config/qubes-firewall-user-script to have these rules applied automatically."

Ok so here's what I understand from this message : this proxyVM Firewall is probably working but rules don't apply because it is attached to a NetVM, which don't have any firewall policies by default.

https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says : "Every VM in Qubes is connected to the network via a FirewallVM, which is used to enforce network-level policies. By default there is one default Firewall VM, but the user is free to create more, if needed."

And then you got explanations on how to edit rules in a specific VM for a given domain.

So I understand you have to edit rules on a AppVM to open up ports there, but I mean not everyone running Qubes OS is highly graduated in IT and network routing.

I find quite disappointing that the official documentation don't mention more clearly how to set up the default sys-firewall proxyVM, like if you are supposed to check either "Deny network access except" or "Allow network access except" button or if that doesn't matter, if those policies won't apply anyway because of this pop-up...

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even
there.

Suppose you have an AppVM in which you want to enforce specific firewall
rules. You should go into the VM settings for *that VM*, then the "Firewall
rules" tab, then configure your firewall rules there. These firewall rules are
then *enforced by* sys-firewall under the hood. Enforcing these rules for
other VMs is sys-firewall's raison d'être.

By default, there is only one VM with this job: sys-firewall. Therefore, there
is no other VM that can perform this job *for* sys-firewall. But that's not a
problem, because there's usually no reason to specify firewall rules for
sys-firewall itself anyway. (Besides, you're free to create as many ProxyVMs
as you like an chain them together.)

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXugDBAAoJENtN07w5UDAwLuQQAIlyBs1aeKEiQH2+W0WrNH5l
VTCgtYo+rY3doNjScY95iCZB1e/s2v/RtbDKyXwot6lGFjUoRJTRdK2O78/j/6GS
1ggqrrtoX2KHB77RN3tJm65d2PqgpQM3G9opU8mUp89Ek0MHhjLl3vLMOUeekIXG
RGhRwOruLZ3D4WkZDpRpqH3qnnrARDmAM32KOeFUKeDGwl1HPM2H78zlyGHWNEYv
SammV42RbOFe3feWUDohCU2V0uMyZcn2jz3HSNfzM1/B/JQ2dvsm3xv4KDCtkZdC
Prugken58eEK2T5s38QnN7JBhgHmvS3jB+X4IoN5eM3D8DabbTU78cGK8Z8He4pq
kzHae//wxS9vcQ3aWjSbUc/Jz+P32jNHYbBtqRcNxT2p8AWcysaEMEsSvDPT4X6t
89II0Q0aHGX2TGQswKgWHtXuX00Qp7XL2T5mL3EaEXvM/BWMPMnxAEGocVLRbcl5
TO3ewl/LVJEiGiL6hwj66FuNeIVlYkxHJ2ZQ8VM6NYu6TN96fLrbYxyBE3yNmcJj
DwVi2rwsTYtnFt4znaBOnNmAIwBNRa9z66Y04KXGcyaq+6i9D66J2Yh3NkuWwKfj
/8dBEST20BJB8+8KYX7F1cZt62hVQANYgaGqhFn+x3tMme5FClmK7obvBlMe6gJu
5SGrV5qlobdhla78qT1T
=iqUV
-----END PGP SIGNATURE-----

[nishi...@gmail.com]

Ok, thank you very much for your help. Unfortunately I still have great difficulties to open up port 443 or 80 on an AppVM.

I have read this comment on another thread from Alex Dubois saying :

"A diagram in the wiki would help people understand.

For now:
A packet comming from the outside has a sourceIP of the workstation on the LAN that issued it or the router that routed the packet into your LAN and a destinationIP of your netVM externalIP (probably 192.168.0.x).
The NetVM iptables rules are going to transform it to a packet with a destinationIP of your firewallVM (10.137.1.5).
The firewallVM iptables rule are going to transform it to a packet with a desktinationIP of your AppVM (10.137.2.16)."

I completely agree with him, a diagram would really help.
I don't get why documentation don't address the routing basics stuff that isn't really basic for newbies, for random people. I like a lot Qubes, this is an awesome OS, but far too complicated for mister everyone. I am at the point right now where frustration becomes overwhelming.
I don't think I am not curious, trying to improve or understand better the way this OS works... I'm just going mad tonight, lol.

So let me try to sum up this comment in a visual way to understand better how routing works on Qubes.

Outside IP packet (source : AppVM or router, like on some http request) => sys-net VM (destination) => firewall VM (new destination routed from sys-net VM with iptables) => AppVM (new destination routed from sys-net VM with iptables).

So let's say if I deny all traffic in an AppVM and want to make exclusions to open only standard http(80) or https(443) protocols, am I supposed to enter new rules in dom0 for the AppVM's Firewall and also configure iptables as well, or only AppVM's Firewall exceptions are going to be enough please ?

https://www.qubes-os.org/doc/dom0-tools/qvm-firewall/
I tried to connect Firefox on an AppVM with this rule, launching an https site, but it failed :(
"qvm-firewall AppVMname -a localadressofsysnet(192.168.x.x) any 443 -P allow"

I also added a rule with vifX.X interface adress (I guess it is the bridge to redirect traffic to the LAN network, but this is just assumption from me, I didn't read about it), but still no success. Well, I might need a rope instead ~

Anyway I probably have to deal again with this documentation https://www.qubes-os.org/doc/qubes-firewall/ and copy the automatic scripts executing on one of the folders that don't reset data automatically at reboot (/rw/config/), but I already did that to make 2 VM communicate each others (client/server) and anyway this doesn't matter if I can't communicate with the outside.

Indeed, I don't understand 1 thing on the "Port forwarding to a VM from the outside world" part of the documentation : on the iptables scripts, do you have to replace "MY-HTTPS" with the name of your service please ? Like for hosting a server, with "apache2" service ?

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-08-21 16:43, nishi...@gmail.com wrote:
> Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On

> Ok, thank you very much for your help. Unfortunately I still have great
> difficulties to open up port 443 or 80 on an AppVM.
>
> I have read this comment on another thread from Alex Dubois saying :
>
> "A diagram in the wiki would help people understand.
>
> For now: A packet comming from the outside has a sourceIP of the
> workstation on the LAN that issued it or the router that routed the packet
> into your LAN and a destinationIP of your netVM externalIP (probably
> 192.168.0.x). The NetVM iptables rules are going to transform it to a
> packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM
> iptables rule are going to transform it to a packet with a desktinationIP
> of your AppVM (10.137.2.16)."
>
> I completely agree with him, a diagram would really help. I don't get why
> documentation don't address the routing basics stuff that isn't really
> basic for newbies, for random people.

The documentation is largely a volunteer effort. I'm afraid we simply don't
have the workforce to make all necessary and desirable improvements to the
documentation. We would love it if someone would submit a pull request adding
such a diagram or, in general, improving that page.

Sorry, this is beyond my knowledge. My own use of Qubes (as a regular user)
has never occasioned the need to port forward to a VM from the outside world.
Perhaps it's worth appreciating that what you're attempting to do is somewhat
advanced, and therefore you should not expect it to be extremely simple. In
any case, I hope someone knowledgeable about networking will chime in to help
you with this.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXulK8AAoJENtN07w5UDAwKRgP/3qtwhSLXRCI03DqA76JMo2o
2d24pqwjw9f/rX3ep36qHN1Y4iSSP/la/ze9dgoWPnyXakrB8R7olqasV2o4Z9+v
ZyLqSOKF6R2KPUSyl1vE6Tc4F6l068wOcQnNphq+tmZEHX8VFprYgkzchXCMj9fp
sVsU7Xk0prNXs/FWqxzPTJzbC7lPRuJ0OBTHdj8uvatJ6eeb6QxRI3hKWu2nXpCM
7ugxLc8Lvy5Ntjp40DoQOMidSDU2WmNyUBAfrlUGjIXVxu7mzk45P67cPG5Zuvo9
KchQgu44N4bgm2tdkHg248iyB/GzolsObs3BQCzadMz7E2jv8YVU8u0rAD41OGON
rDTqnDp5VEdo72iNijyZkXh+in/cmtAG9FY1JisTgeZhxTXJmMlzduDIaB2+QjBH
UBeU9DxeeXtthmYIlmoq40gbLUnEW4KkMfyky99vWZcUHnCzdVd9l12+PDJkIAF5
N2la7fqnAh5ElsdT3nBzECb7C5CYtW3zFB/oEDrmsObinIF5E0ohPdwWnXn++jCF
kwurhgtReWPCxfd+JeIJTi3bQxE24pnPkTT4KYPcOloE9RHwGd5EsAIxkvbPb/po
aUn1edDzVtnoyrXa/FVODd0IxW9TjFq1RGk8d9mXPSb01fKrKIOUQXnhyfwiY5gK
sW6MaE08rTguFWY2Ng9q
=E9Mf
-----END PGP SIGNATURE-----

[nishi...@gmail.com]

I would love as well to be able to host a website to share my interest for Qubes OS with the world, or at least with people of my country sharing my own language if you don't mind, because Qubes OS documentation looks like imo being written mostly by native english users that don't seem to care much for non-native english users being lost. I would this way really like to participate to some translation effort, as I don't necessarily think you can enter easily those quite complicated notions with your non-native language.
Qubes documentation being largely a volonteer effort doesn't make it immune to the critics, and mine is that people spending this valuable time to share their knowledge to make people enter quite long and complicated procedures should consider that :
1) Explaining how to do port forwarding without adressing or refering to basic knowledge upon this concept leads to frustration, as you necessarily need to understand a bit what's going on in order to adapt the procedures.
2) Even if I think people mostly appreciate and are thankful to the Qubes community developpment for the incredible security improvement Qubes OS brings to everyone and that makes Qubes OS probably the best OS I know so far, when security isolation somehow puts you in cage where you encounter difficulties to communicate with rest of the world, well that's not the goal per se :p

But no problem, thank you for your help. I hope someone might give me some advices on this problem, but I am already trying to learn on iptables, as it looks like you can't unblock ports using only Qubes firewall, you have to understand these iptables scripts ^^

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-08-22 02:47, nishi...@gmail.com wrote:
> I would love as well to be able to host a website to share my interest for
> Qubes OS with the world, or at least with people of my country sharing my
> own language if you don't mind, because Qubes OS documentation looks like
> imo being written mostly by native english users that don't seem to care
> much for non-native english users being lost.

On the contrary, we care greatly about translating the documentation into
other languages. We're working with Transifex right now to have the
documentation translated:

https://github.com/QubesOS/qubes-issues/issues/1452

> I would this way really like to participate to some translation effort, as
> I don't necessarily think you can enter easily those quite complicated
> notions with your non-native language.

We welcome your participation! Michael (CCed) is the main contact with
Transifex. He may have a better idea about how members of the Qubes community
like yourself can get involved.

> Qubes documentation being largely a volonteer effort doesn't make it
> immune to the critics,

I didn't mean to suggest that it's immune to criticism. On the contrary,
constructive criticism is always welcome.

However, you said, "I don't get why documentation don't address..." I was
simply explaining why. The documentation is lacking such things because no one
has contributed them.

> and mine is that people spending this valuable time to share their
> knowledge to make people enter quite long and complicated procedures should
> consider that : 1) Explaining how to do port forwarding without adressing
> or refering to basic knowledge upon this concept leads to frustration, as
> you necessarily need to understand a bit what's going on in order to adapt
> the procedures. 2) Even if I think people mostly appreciate and are
> thankful to the Qubes community developpment for the incredible security
> improvement Qubes OS brings to everyone and that makes Qubes OS probably
> the best OS I know so far, when security isolation somehow puts you in cage
> where you encounter difficulties to communicate with rest of the world,
> well that's not the goal per se :p
>

I think it's fair to beseech documentation contributors to consider these
things. But, in the end, it's up to them what knowledge (if any) they will
contribute.

> But no problem, thank you for your help. I hope someone might give me some
> advices on this problem, but I am already trying to learn on iptables, as
> it looks like you can't unblock ports using only Qubes firewall, you have
> to understand these iptables scripts ^^
>

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXux2fAAoJENtN07w5UDAw4wUP/j0uDCgbx80Cm714mi6vDB/Z
8NBXlMLV6hzA8HtVW3Z2Rfo7pY/Fe8uQLskJ+h8SluWDw2srUHXSsv2ETIBsUzC9
0m9HaSLJU+UxO7Vc8VFi2FTiUlFKxhBnhFYWGwSqir0QI+OZP6Mx1id/MgtvGkYk
TDWtljt7hvgjR6hnX1GqU6u0Bg3O1KZHSNhcC98RQZjy9LWOgIkAPKWpK98FheYi
N5QMRTJwfrUEFIEumCf6xzG3jiolJlmGEPkKDfk9+GaKxd0koHbENMWqfvlz2Zbo
pq9gBzkW44K88pcWpS4CLkvonMDdXienRWzy7ut5kQsEfNuw4MVGMkqy9YUGkhlJ
9mbZx8AB1yPs0LRdQpCk9noh4g4QWr9XREHQC2+FgazYQD1P4rcZDXt8r0JJdH2W
E5GJbqWWwQj+Rn0VbI4TbuXZJlw8gOeiUXRSKu821EhXu37dtiNI+XKszx8iPfXA
9EbAd9O4hulVq3866eWX86Sc/MKnNE/Frw0M8ObHvvXnweI2VwUNMeZCJ2VKO5KG
vWQkTi83YAkHqvk8YOFCV7+oOQAyGymHZzjCUWvOWvDjBX/wtSgcmEt3rMq8MklX
G3ZFzGdkC2h2VeEqwojhMNZ1UWHNvwv+KV6ySJf5p3ZrGqZKO6olIlbZZNnT2HDe
OW2eq0Sr3P3Qtdn9iXao
=6qZC
-----END PGP SIGNATURE-----

[nishi...@gmail.com]

Le lundi 22 août 2016 17:43:35 UTC+2, Andrew David Wong a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>

> On the contrary, we care greatly about translating the documentation into
> other languages. We're working with Transifex right now to have the
> documentation translated:
>
> https://github.com/QubesOS/qubes-issues/issues/1452
>

Ok my bad, I didn't knew about this projet. Then it is fine, it would help a lot people not used to read english.

>
> We welcome your participation! Michael (CCed) is the main contact with
> Transifex. He may have a better idea about how members of the Qubes community
> like yourself can get involved.
>

Ok thank you, he can contact me on this email if you want me to help to traduce some pages, no problem. I don't type very fast and I'm not that young, but if you lack people to help traduce in their native langage, I can help.

>
> I didn't mean to suggest that it's immune to criticism. On the contrary,
> constructive criticism is always welcome.
>

Sure, I was just a bit on nerves yesterday, sorry about that.

>
> However, you said, "I don't get why documentation don't address..." I was
> simply explaining why. The documentation is lacking such things because no one
> has contributed them.
>

> I think it's fair to beseech documentation contributors to consider these
> things. But, in the end, it's up to them what knowledge (if any) they will
> contribute.
>

Good point, I have thought about your answer yesterday more rested and just begun a course today about TCP/IP networks, OSI model in 7 layers to understand better how routing works, how packets travel from layer 7 to your own switch / bridge ! This is quite interesting, but my attention scattered to another one on how to convert decimals numbers into hexadecimals or binary numbers ^^
>
I don't know if it's going to be useful, but yes, it was interesting to realize an IPv4 adress is coded on 32 bits, which is 4 octets, and that 1 octet reach 255 maximum in decimal form because it is coded on 8 bits, which is 2^8=256, and as you start from 0, you get this number. And that we're going to switch to IPv6 because you have only 2^32 numbers available (4,2 billions) and we are already 7,3 billions here on Earth ! That's also why I want to host my website on my own cpu bc you need energy to make a server work, Earth is dying, who cares my beginner site being unavailable 8-12 hours a day, as long as I warn folk when it opens lol. You can also think about Qubes in an ecological point of view as it centralizes different OS and allows you to avoid having more computers to preserve data : you save energy.
>
Those numbers make you wonder how unreal in less than 50 years we went from 1 bit (0-1), to this very simple potential electric difference coding 2 values, to a world wide web page full of data ^^ I guess we invented aliens to communicate with we didn't found (yet) so far :D Because if you think about one typo here, like my little D surrounded by 2 symbols (lol), if you think about all characters options available in all languages over the whole world for those 2 symbols, I wouldn't be surprise this beast gets so huge that it can't hold in 1 octet/1byte/256 options haha (btw in french you add e to "bit", you get a D :D). I hope you enjoy my delicate poetry on digits man lol ~
>
P.S. : If quoting you fails again, please excuse me, I don't get how to do it properly inside your message :(

[nishi...@gmail.com]

Well I wasn't aware routing / forwarding can be such complex, and indeed it is a full time job, you can't become network admin just like that, it takes time.
So I realized I shouldn't have posted here, my bad. Any admin feel free to delete this subject if you want to, no problem.

So I am actually gathering knowledge on the subject to be able eventually at the end of the day to create a very little local Qubes network with a serverVM to host my website/a clientVM to test it/a proxyVM acting as a router :) I followed a course refering a lot to the old "route" cmd on Linux, but no chance, I can't make it run or install it on Qubes, the cmd has been depreciated, now you need to use iproute2 !
Hopefully I just found another tutorial in french to understand how to use iproute http://www.inetdoc.net/guides/lartc/lartc.iproute2.explore.html