On 18.08.2014 06:11,
whoni...@mail2tor.com wrote:
> Hello,
>
> I'm interested in what it would take to add ProxyVM support to the Qubes
> Debian community template.
>
> Maybe this is already planned or being worked on?
Yes, it is planned feature, but I'm not aware of anyone working on it.
> Adding this capability could go a long way for our current effort in
> porting Whonix to Qubes. Whonix scripts are now Debian jessie/testing
> compatible.
>
> So the Qubes Debian template could make integration easy for the
> Whonix-Gateway, if the Qubes template just had ProxyVM support.
>
>
> I see that Fedora-based ProxyVMs seem to generally work by adding virtual
> network interfaces (vifX) to the ProxyVM for each new AppVM that connects
> through it. And it establishes different IP credentials than non-ProxyVM
> interfaces, like (inet: 10.137.5.1, netmask: 255.255.255.255).
>
>
> If not actively being worked on, then I'm wondering what mechanisms would
> yet need to be developed and where in the Qubes scripts I might accomplish
> this.
Debian as ProxyVM is not "known to not working", it is "untested". Ok, I've
tested it now. It is "not working" ;)
Quick and dirty way to have basic functionality (without full qubes-firewall
support):
apt-get install xen-utils-common
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables-restore /etc/sysconfig/iptables
# for some reason /var/run/qubes/qubes-ns not created at startup
INTERFACE=eth0 /usr/lib/qubes/setup-ip
# rerun qubes-setup-dnat-to-ns with bash
bash /usr/lib/qubes/qubes-setup-dnat-to-ns
Most likely iptables and DNS part are not needed for Whonix case, as will be
overriden anyway.
Anyone willing to convert above to proper patches? :)
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?