I followed the documentation on this page https://www.qubes-os.org/doc/qubes-firewall/ ("Port forwarding to a VM from the outside world" paragraph), but I didn't managed to open the 443 https port on a TemplateVM.
I am trying to configure an apache2 server on a TemplateVM based on Linux Kali distribution (to learn how to host my first website :))
I think I did no mistakes while replacing IP adress examples from the scripts with my sys-net local IP adress and sys-firewall IP adress, but I don't understand everything. On all of them, am I supposed to replace "MY-HTTPS" service with with the IP adress of the TemplateVM, with something like "apache2" or eventually with "ssh" to make it work please ? I don't really get what "service" refers to here.
Also I would like to know if XXX.XXX.XXX.XXX/24 IP adress is different from a standard XXX.XXX.XXX.XXX IP without the "/24", because I noticed the person who wrote this guide put 192.168.X.0/24 but not everywhere so I don't really know if I am correct not reversing the last 2 terms t_t
But I guess I don't have to since "/sbin/ifconfig" adress is static.
I also would like to know if I can deny network access on my sys-firewall proxy VM with these exceptions :
192.168.X.X/24 (local adresss)
XXX.XXX.XXX.XXX/443 (IP adress of the TemplateVM on where apache2 server is running)
When I type "netstat -antp" in the TemplateVM terminal I don't see any 443 port listening atm :(
Any help would be really appreciated !
Regards
"The 'sys-firewall' AppVM is not network connected to a FirewallVM!
You may edit the 'sys-firewall' VM firewall rules, but these will not take any effect until you connect it to a working Firewall VM."
Only subject related to this problem I found is this message from Unman on Qubes-users group :
"When you configure the firewall rules for a vm those rules are applied ON THE FIREWALL to which the vm is attached. So the error message you get is entirely accurate - your firewall is not attached to a firewall and so the rules cannot be applied. Of course you COULD configure a firewall between the fw and the netvm but the same consideration would apply to THAT fw.
There's no reason why you cant configure the fw iptables by hand if you want to: you can use /rw/config/qubes-firewall-user-script to have these rules applied automatically."
Ok so here's what I understand from this message : this proxyVM Firewall is probably working but rules don't apply because it is attached to a NetVM, which don't have any firewall policies by default.
https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says : "Every VM in Qubes is connected to the network via a FirewallVM, which is used to enforce network-level policies. By default there is one default Firewall VM, but the user is free to create more, if needed."
And then you got explanations on how to edit rules in a specific VM for a given domain.
So I understand you have to edit rules on a AppVM to open up ports there, but I mean not everyone running Qubes OS is highly graduated in IT and network routing.
I find quite disappointing that the official documentation don't mention more clearly how to set up the default sys-firewall proxyVM, like if you are supposed to check either "Deny network access except" or "Allow network access except" button or if that doesn't matter, if those policies won't apply anyway because of this pop-up...
But no problem, thank you for your help. I hope someone might give me some advices on this problem, but I am already trying to learn on iptables, as it looks like you can't unblock ports using only Qubes firewall, you have to understand these iptables scripts ^^
So I am actually gathering knowledge on the subject to be able eventually at the end of the day to create a very little local Qubes network with a serverVM to host my website/a clientVM to test it/a proxyVM acting as a router :) I followed a course refering a lot to the old "route" cmd on Linux, but no chance, I can't make it run or install it on Qubes, the cmd has been depreciated, now you need to use iproute2 !
Hopefully I just found another tutorial in french to understand how to use iproute http://www.inetdoc.net/guides/lartc/lartc.iproute2.explore.html