upgrade 3.x -> 4.x, "firewall has been modified manually - please use qvm-firewall"

[Dave C]

My question comes after restoring a backup of a 3.x appvm into a 4.x Qubes.

When I pull up the "Qube Settings" GUI, and navigate to "Firewall Rules", I see red text instructing me to please use qvm-firewall. The form is grayed out.

If I run `qvm-firewall VMNAME list`, I see the one rule that I had added via the Qubes 3.x GIU.

I prefer to use the GUI rather than `qvm-firewall`. Is there anything I can do to make Qubes think the firewall hasn't been modified manually?

(I tried deleting `/var/lib/qubes/appvms/VMNAME/firewall.xml`. That alone was not enough.)

Thanks for any help!

Since this is my first post with Qubes 4.x on a Lenovo P51, I'm attaching hcl report. The installation worked very well. And I love the changes in 4.x. Excellent work!

[Stickstoff]

Hello everyone,

On 02/03/2018 12:40 PM, Dave C wrote:
> My question comes after restoring a backup of a 3.x appvm into a 4.x
> Qubes.
>
> When I pull up the "Qube Settings" GUI, and navigate to "Firewall
> Rules", I see red text instructing me to please use qvm-firewall.
> The form is grayed out.

[..]
I have the same symptom, the firewall GUI in the Qube Manager is grayed
out now in Qubes 4 in some VMs, but not in all.
Is there a way to recover from this? Reactivate the GUI and not lose the
firewall rules? Or, if the only way, start over with a fresh GUI with no
rules?

Thank you,

Stickstoff

[Unman]

My guess is that you have set some rules in 3.2 which cannot be set in
the GUI interface in 4.0. Quite probably these are blocking DNS or ICMP.
The new GUI interface is intended only for very simple blocking rules,
as is made clear in the notes and tool tips.

The simplest way to diagnose this is to run 'qvm-firewall <qube> list'
and look to see what rules you have in place.
If you see deny rules for ICMP or DNS, it is these that are preventing
the GUI from working. You can remove them by :
'qvm-firewall <qube> del --rule-no X'
If you want to retain those blocking rules then you wont be able to use
the GUI.

A possible work around would be to stop the qube, remove the relevant
rules to re-enable the GUI, use the GUI to set up new rules, and then
reinstate the other rules. Then restart the qube.
Frankly, it's probably easier to use the command line and brush up your
firewall knowledge.

unman

[Stickstoff]

Thank you for your help!

On 07/26/2018 08:32 AM, Unman wrote:
> My guess is that you have set some rules in 3.2 which cannot be set in
> the GUI interface in 4.0. Quite probably these are blocking DNS or ICMP.

Spot on, the VM I experiment with (cloned instances) has an ICMP drop rule.

> If you see deny rules for ICMP or DNS, it is these that are preventing
> the GUI from working. You can remove them by :
> 'qvm-firewall <qube> del --rule-no X'

I deleted the rule, but the GUI still grays out.
I then deleted all rules, the GUI stayed grayed out. Restarting for good
measure, now the Qubes Manager errors out [1]. I tried this with two
VMs, same behavior. Deleting the (empty) firewallfile doesn't help neither.

> Frankly, it's probably easier to use the command line and brush up your
> firewall knowledge.

I couldn't find any info about the qvm-firewall syntax. Is it the
iptable syntax? A quick test didn't work.

Cheers,

Stickstoff



[1] IndexError: pop from empty list at line 999 of file
/usr/lib/python3.5/site-packages/qubesmanager/qube_manager.py

[Unman]

On Thu, Jul 26, 2018 at 04:48:44PM -0400, Stickstoff wrote:
> Thank you for your help!
>
> On 07/26/2018 08:32 AM, Unman wrote:
> > My guess is that you have set some rules in 3.2 which cannot be set in
> > the GUI interface in 4.0. Quite probably these are blocking DNS or ICMP.
>
> Spot on, the VM I experiment with (cloned instances) has an ICMP drop rule.
>
> > If you see deny rules for ICMP or DNS, it is these that are preventing
> > the GUI from working. You can remove them by :
> > 'qvm-firewall <qube> del --rule-no X'
>
> I deleted the rule, but the GUI still grays out.
> I then deleted all rules, the GUI stayed grayed out. Restarting for good
> measure, now the Qubes Manager errors out [1]. I tried this with two
> VMs, same behavior. Deleting the (empty) firewallfile doesn't help neither.
>
> > Frankly, it's probably easier to use the command line and brush up your
> > firewall knowledge.
>
> I couldn't find any info about the qvm-firewall syntax. Is it the
> iptable syntax? A quick test didn't work.
>
> Cheers,
>
> Stickstoff
>

I believe that just a policy allow will have the GUI functional again.

If you look at the man page there's some guidance on the syntax, but
some examples may help.

'qvm-firewall <qube> list ' shows the rules.

To delete a rule:
'qvm-firewall <qube> del --rule-no X' deletes rule X

To add a rule:
'qvm-firewall <qube> add RULE'
This wil put the rule at the bottom.
To insert it in the table at position X use:
'qvm-firewall <qube> add RULE --before X'

The rule syntax is basic:
Actions are accept/drop - On their own they allow/drop everything.
You can restrict to protocols using e.g, "accept proto=tcp", and further
restrict to ports using "accept proto=tcp dstports=443". (You can use a
range for dstports but not a list)
proto can be tcp, udp or icmp

You can restrict to a destination using "accept dsthost=IP".
And , of course, combine them all:
qvm-firewall add --before 0 accept proto=tcp dstportss=443 dsthost=185.199.111.153

hth

[Stickstoff]

On 07/26/2018 08:14 PM, Unman wrote:
> I believe that just a policy allow will have the GUI functional again.
>

> The rule syntax is basic:

Thank you again, Unman.
I couldn't get the GUI to "reset", neither with no rules or one accept
rule, but with your help I figured out the syntax to use qvm-firewall
directly.

Thank you!

Stickstoff

[markrij...@gmail.com]

Please try this procedure to reset the Firewall rules GUI in Qubes OS 4.0:

https://mark911.wordpress.com/2019/06/16/how-to-re-enable-firewall-rule-editor-gui-in-appvm-in-qubes-os-4-0/