Firewall error by adding new IP
28 views
Skip to first unread message
evo
Mar 5, 2017, 3:35:07 PM3/5/17
to qubes-users
Hello!
i get an error pop-up:
"ERROR: Firewall tab: (0,'Error')
by adding new address.
i have already added few addresses (about 20 or 30)
is there any limit or something like that??
thanks!
i get an error pop-up:
"ERROR: Firewall tab: (0,'Error')
by adding new address.
i have already added few addresses (about 20 or 30)
is there any limit or something like that??
thanks!
Unman
Mar 5, 2017, 4:03:26 PM3/5/17
to evo, qubes-users
evo
Mar 5, 2017, 4:12:20 PM3/5/17
to Unman, qubes-users
oh, thanks... i thought i read the post about firewall, but didnt see
the limit of 3kb.
so the only way to get over 3kb is to adit own rules in /rw/config?
And for building the own script there, i should really understand the
whole iptables thing.. puh :)
sorry for the newbee-question, but what the hell is /rw??
the limit of 3kb.
so the only way to get over 3kb is to adit own rules in /rw/config?
And for building the own script there, i should really understand the
whole iptables thing.. puh :)
sorry for the newbee-question, but what the hell is /rw??
Unman
Mar 5, 2017, 4:22:45 PM3/5/17
to evo, qubes-users
When you are running a TemplateBasedVM, most of the file system comes
from the template. This meams that many changes that you make will
disappear on reboot. (E.g changing config in /etc , installing programs
etc.)
Some parts of the file system, (/home /and /usr/local) DO persist in the
qube. They are actually stored in /rw: have a look.
There is also a mechanism (bind-dirs) for making other files persistent.
You can read about it in the docs.
(You can, of course, also store files in /rw/config and use the
rc.local mechanism to change files in the root file system on boot - e.g
adding entries to hosts files, custom iptables rules etc etc.)
unman
evo
Mar 5, 2017, 4:26:28 PM3/5/17
to Unman, qubes-users
do i need a special name for the iptable-rules in /rw/config?
maby just a example for permiting 8.8.8.8:80 ... i know its the iptables
thing :)
Unman
Mar 5, 2017, 6:41:27 PM3/5/17
to evo, qubes-users
exploit.
Say you want to allow traffic from 10.137.100.1 to 8.8.8.8:80, but you
have already hit that 3k limit.
Edit the file /rw/config/qubes-firewall-user-script, and add the line:
iptables -I FORWARD -s 10.137.100.1 -d 8.8.8.8 -p tcp --dport 80 -j ACCEPT
chmod +x /rw/config/qubes-firewall-user-script
This script is called whenever a new qube is attached to the proxyVM
and the relevant iptables rules are automatically rebuilt.
You can also build your own custom rulesets and store them in an
arbitraily named file called from /rw/config/qubes-firewall-user-script,
and you can, of course, do anything you like from this file, which will
be triggered when a new qube is attached: that is, you arent limited to
firewall manipulation.
unman
evo
Mar 6, 2017, 2:26:42 AM3/6/17
to Unman, qubes-users
so i can just write the line for one rule, without writing the whole
script for iptables.
so i can call it however i want or use the qubes-firewall-user-script
file... is it principally the same? or does qubes-firewall-user-script
replace the whole rules i already have?
the problem i have now is... i forgot to delete the "overloaded" rule
from the VM and now i can not start it. is there any other way to start
it, or to delete this overloaded 3k-file? is this file on sys-firewall
or on the VM itself?
Unman
Mar 6, 2017, 9:05:52 AM3/6/17
to evo, qubes-users
> >>> disappear on reboot. (E.g changing config in /etc , installing programs
> >>> etc.)
> >>> Some parts of the file system, (/home /and /usr/local) DO persist in the
> >>> qube. They are actually stored in /rw: have a look.
> >>> There is also a mechanism (bind-dirs) for making other files persistent.
> >>> You can read about it in the docs.
> >>> (You can, of course, also store files in /rw/config and use the
> >>> rc.local mechanism to change files in the root file system on boot - e.g
> >>> adding entries to hosts files, custom iptables rules etc etc.)
> >>>
> >>> unman
> >>>
> >>
> >> ok, so the /rw is on the VM and not in the dom0, understand.
> >>
> >> do i need a special name for the iptable-rules in /rw/config?
> >>
> >> maby just a example for permiting 8.8.8.8:80 ... i know its the iptables
> >> thing :)
> >
> >
> > For proxyVMs (like sys-firewall) there is a built-in mechanism you can
> > exploit.
> > Say you want to allow traffic from 10.137.100.1 to 8.8.8.8:80, but you
> > have already hit that 3k limit.
> > Edit the file /rw/config/qubes-firewall-user-script, and add the line:
> > iptables -I FORWARD -s 10.137.100.1 -d 8.8.8.8 -p tcp --dport 80 -j ACCEPT
> >
> > chmod +x /rw/config/qubes-firewall-user-script
> >
> > This script is called whenever a new qube is attached to the proxyVM
> > and the relevant iptables rules are automatically rebuilt.
> >
> > You can also build your own custom rulesets and store them in an
> > arbitrarily named file called from /rw/config/qubes-firewall-user-script,
> >>> etc.)
> >>> Some parts of the file system, (/home /and /usr/local) DO persist in the
> >>> qube. They are actually stored in /rw: have a look.
> >>> There is also a mechanism (bind-dirs) for making other files persistent.
> >>> You can read about it in the docs.
> >>> (You can, of course, also store files in /rw/config and use the
> >>> rc.local mechanism to change files in the root file system on boot - e.g
> >>> adding entries to hosts files, custom iptables rules etc etc.)
> >>>
> >>> unman
> >>>
> >>
> >> ok, so the /rw is on the VM and not in the dom0, understand.
> >>
> >> do i need a special name for the iptable-rules in /rw/config?
> >>
> >> maby just a example for permiting 8.8.8.8:80 ... i know its the iptables
> >> thing :)
> >
> >
> > For proxyVMs (like sys-firewall) there is a built-in mechanism you can
> > exploit.
> > Say you want to allow traffic from 10.137.100.1 to 8.8.8.8:80, but you
> > have already hit that 3k limit.
> > Edit the file /rw/config/qubes-firewall-user-script, and add the line:
> > iptables -I FORWARD -s 10.137.100.1 -d 8.8.8.8 -p tcp --dport 80 -j ACCEPT
> >
> > chmod +x /rw/config/qubes-firewall-user-script
> >
> > This script is called whenever a new qube is attached to the proxyVM
> > and the relevant iptables rules are automatically rebuilt.
> >
> > You can also build your own custom rulesets and store them in an
> > and you can, of course, do anything you like from this file, which will
> > be triggered when a new qube is attached: that is, you arent limited to
> > firewall manipulation.
> >
> > unman
> >
> >
>
> thanks!
> so i can just write the line for one rule, without writing the whole
> script for iptables.
Yes - the rest of the rules will be taken from the entries you have
> > be triggered when a new qube is attached: that is, you arent limited to
> > firewall manipulation.
> >
> > unman
> >
> >
>
> thanks!
> so i can just write the line for one rule, without writing the whole
> script for iptables.
configured in the manager for that qube.
>
> so i can call it however i want or use the qubes-firewall-user-script
> file... is it principally the same? or does qubes-firewall-user-script
> replace the whole rules i already have?
usual Qubes firewall service process - that reads the rules set per
attached qube and instantiates them on the ProxyVM.
A significant difference is that a rule you set in
qubes-firewall-user-script will be set every time that script is called,
whereas one set in manager (or in qvm-firewall) will only be applied
when the relevant qube is attached.
It doesn't replace the other rules unless you explicitly ask it to do so
- you could do this if you wanted. Since it's just a script you can do
anything you like in there, as I've said. This would include setting
rules depending on what qubes were attached (e.g if qube A and qube B are
BOTH attached to ProxyVM open up inbound access to qube A).
>
> the problem i have now is... i forgot to delete the "overloaded" rule
> from the VM and now i can not start it. is there any other way to start
> it, or to delete this overloaded 3k-file? is this file on sys-firewall
> or on the VM itself?
(in dom0). The help there is pretty good.
evo
Mar 6, 2017, 12:30:46 PM3/6/17
to Unman, qubes-users
start the VM (because of the overloaded 3KB-limit of the firewall).
qvm-firewall seems to be a great thing!
with qvm-firewall -n "VM-name" list i can see the entries i did.
and with qvm-firewall "VM-name" -d "rule-number" i can delete one rule i
made over the 3KB-limit
so, now i can just make the other rules in the qubes-firewall-user-script.
very well!! thank you for the great help!!
Reply all
Reply to author
Forward
0 new messages