On Saturday, 10 February 2018 21:45:30 UTC, Marek Marczykowski-Górecki wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Fri, Feb 09, 2018 at 04:12:57PM -0800,
joev...@gmail.com wrote:
> > On Friday, 9 February 2018 19:02:09 UTC-5, Alex Dubois wrote:
> > > On Friday, 9 February 2018 23:59:52 UTC, Alex Dubois wrote:
> > > > On Friday, 9 February 2018 16:36:14 UTC,
joev...@gmail.com wrote:
> > > > > Yes, thanks for pointing out the typos. They are only mistakes in this post. I use a script running in dom0 to generate pretty much everything. The same script works when debian-8 is used. The interface is different depending on the template
> > > >
> > > > I confirm I have the same issue.
> > > > Please however note that I have another PCI NIC connected to an AppVM (My qubes also act as a firewall for home network) and we have no issue connecting outbound.
> > > > Outbound connection as you know do not need the PRE-ROUTING rules, so also the problem is seen on the FORWARD rule, I suspect more the PRE-ROUTING rule is at fault and does not do its job.
> > > > I'll try to dig into this, however I won't have much time this week...
> > >
> > > Also, could you clarify if you've tested on FirewallVM and if here again Debian is OK and Fedora not. This might rule out issues with physical cards (which I suspect is not the problem as PRE-ROUTING does get the packet).
> >
> > Yes, if the template on sys-net is changed to Debian-8, but sys-firewall (FirewallVM) is left with fedora... sys-net does send the packet to sys-firewall, which then appears the same way... PREROUTING sees it, but FORWARD does not.
>
> An idea: Debian don't have nftables installed by default, so
> qubes-firewal fallback to iptables. But not on Fedora - there nftables
> is used. This applies to both sys-net and sys-firewall.
>
> A quick test:
>
> 1. List rules:
>
> nft list table ip qubes-firewall
>
> 2. Add rule accepting traffic from eth0:
>
> nft add rule ip qubes-firewall forward meta iifname eth0 accept
Shall I test and document firewall.md all using nft if it all works (there are some incompatibility warning in the nftables wiki with iptables for nat that may need us to move fully to nft)?
I'll be happy to try (in my spare time and own pace) to submit PR for all the qubes firewall scripts in sys-net and sys-firewall if you think it is the right way forward.