-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Make sure you've added appropriate routes for returning packets - for
example in sys-net a route to appvm via sys-firewall. Without this,
you'll have two problems:
1. Returning packets will be dropped because of lack of route back to
the source
2. Outgoing packets will be dropped by reverse path filter
(/proc/sys/net/ipv4/conf/all/rp_filter), because it looks like IP
spoofing from sys-net perspective.
If you're using R4.0, check also nftables, see here:
https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world
Generally, without MASQUERADE, each node of the network tree needs to
know routes to _every_ node in the subtree - not only those directly
connected. In your case it might be ok, but in general case it gets even
more complicated because you may want some exceptions (Proxy VMs that
tunnel the traffic using VPN of some kind, including Tor). And switching
netvm require route changes in multiple places.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlqhI/sACgkQ24/THMrX
1yxbaAgAibEV4Gevei0p80zgdfY0/pH24Inm0+IrUCHi56fT7MnKM/Caj9ip1FrI
3VGGBrszlOpMP7iTaMos7Jsach0dCSmtLb9R0jtkbuMt5Tm3QgBQIVyqiUViLBUP
b0yWdx2IOXgiof9KnMAuI7RXr4t/3I5AGTJuPaSsFIpNB5z3F5JvOi/G8G3KSNz+
U50Ewa9NNOKTxMO27G1PFWSUC9tMZdXEIVk8/ZCVTPaltFeoIlavNzb4SrmmiT/I
OsysT6QjNlN1tncw5v/JTeIFqSVlCs6srCVU63Jm8oFpCwE14SqiOV+b7XoYr5rF
XIEYet9Mz+1l/FQXBRtMeupGugZz1A==
=s7tZ
-----END PGP SIGNATURE-----