How to solve ProxyVM (sys-firewall) becomming non-functional at runtime
23 views
Skip to first unread message
Robert Mittendorf
Oct 11, 2016, 5:43:01 AM10/11/16
to qubes-users
Hey folks,
sometimes the sys-firewall (more likely a service within it) crashes and
does no longer allow connected VMs to resolve DNS.
The ProxyVM must be the responsible entity, because the connection will
be fine again If I restart the sys-firewall.
Restarting the ProxyVM is tedious, as you cannot simple restart it when
running (App)VMs are attached. You have to change the NetVM setting of
every running connected AppVM (or shut them down) in order to restart
the sys-firewall.
This does not happen very often, just once, twice a month - but is there
a less tedious way to fix this?
like a shell command to restart the corresponding service in the
sys-firewall?
One could use an intermediate proxy, so you have to change only the
NetVM of a single connected "App"VM - but what if the same problem
occurs with that additional ProxyVM....
What is the problem with restarting a connected ProxyVM anyway? Yes,
there should be a warning - but it should be possible to bypass this
warning I think.
thanks for reading,
Robert
sometimes the sys-firewall (more likely a service within it) crashes and
does no longer allow connected VMs to resolve DNS.
The ProxyVM must be the responsible entity, because the connection will
be fine again If I restart the sys-firewall.
Restarting the ProxyVM is tedious, as you cannot simple restart it when
running (App)VMs are attached. You have to change the NetVM setting of
every running connected AppVM (or shut them down) in order to restart
the sys-firewall.
This does not happen very often, just once, twice a month - but is there
a less tedious way to fix this?
like a shell command to restart the corresponding service in the
sys-firewall?
One could use an intermediate proxy, so you have to change only the
NetVM of a single connected "App"VM - but what if the same problem
occurs with that additional ProxyVM....
What is the problem with restarting a connected ProxyVM anyway? Yes,
there should be a warning - but it should be possible to bypass this
warning I think.
thanks for reading,
Robert
Manuel Amador (Rudd-O)
Oct 13, 2016, 10:12:26 AM10/13/16
to qubes...@googlegroups.com
On 10/11/2016 09:42 AM, Robert Mittendorf wrote:
> Hey folks,
>
> sometimes the sys-firewall (more likely a service within it) crashes
> and does no longer allow connected VMs to resolve DNS.
> The ProxyVM must be the responsible entity, because the connection
> will be fine again If I restart the sys-firewall.
You're onto it. I think I fixed this yesterday:
> Hey folks,
>
> sometimes the sys-firewall (more likely a service within it) crashes
> and does no longer allow connected VMs to resolve DNS.
> The ProxyVM must be the responsible entity, because the connection
> will be fine again If I restart the sys-firewall.
https://github.com/QubesOS/qubes-core-agent-linux/pull/20
>
--
Rudd-O
http://rudd-o.com/
Robert Mittendorf
Oct 17, 2016, 3:46:39 AM10/17/16
to qubes...@googlegroups.com
obervation is that it happens after several hours/days of a flawlessly
working ProxyVM, not at boot.
Reply all
Reply to author
Forward
0 new messages