Cross-posting here for visibility:
Original thread: https://groups.google.com/g/qubes-users/c/6e8oyr5GdXk
On Friday, 21 August 2020 at 16:58:48 UTC+8 54th Parallel wrote:
I’m having the same issue with disposable firewalls built on debian-10-minimal, with the minimum amount of packages, on brand-spanking-new installations (plural) being unreliable firewalls. They sometimes function but not all the time–and this is what’s scary, because there’s no way of knowing without manually checking all the time. The warning prompts when editing firewall rules aren’t useful indicators since they always appear regardless of whether filtering is happening.
I ran systemctl in both and found that qubes-firewall.service is not running in either, despite having manually activated them. I’m not a technical person, but this seems like a pretty critical issue to me (unreliable firewall with no indicator)–a warning about using minimal debian as templates for firewalls should be put up somewhere highly visible.
This unreliability has been bugging me for a while and I’ve been testing and testing (to the best of my abilities) before realizing that this is almost certainly not a user issue, so Sven, the OP, probably either ran into the issue again, didn’t know about his deactivated firewalls, or didn’t report the issue.
After some more probing around, I think I’ve found the issue, and that what I wrote earlier contains inaccuracies. The unreliable firewall might not be a debian-10-minimal issue, though the warning prompt that appears whenever editing firewall rules in a connected VM is.
My setup has two firewalls–one behind sys-net and another behind a VPN VM. Though the two firewalls are clones of one another, the sys-net firewall works (responds to rules set in appVMs) and the proxyVM firewall doesn’t. This is what caused me to think that deb-10-min firewalls in general are unreliable–some things are connected to the net-firewall (sometimes) and most are connected to the VPN-firewall. This makes it look like the firewalls work sometimes.
I have two laptops running Qubes with the same setup. Of the four firewalls, all with qubes-firewall explicitly enabled, only one actually has the qubes-firewall.service show up after typing ‘systemctl | grep firewall’ [so unlike what I said earlier, not even the working net-firewall is consistent, so this might not be a positioning issue]. Each of these firewalls were created in fresh but updated installations of 4.0.3 with the absolute minimum amount of packages (qubes-core-agent-passwordless-root (so I can configure sudo prompt), qubes-core-agent-networking, apparmor*) and the typical settings, along with qubes-vm-hardening (vm-boot-protect enabled).
Any insight into this would be greatly appreciated since this is a massive headache for me.
qubes-firewall.service manually in a VPN-firewall via
sudo systemctl start qubes-firewall leads to
qubes-firewall.service loaded failed failed being displayed in
systemctl. On the other laptop, both firewall had
loaded active active after doing the same.
Update 2: The VPN-firewalll actually starts up qubes-firewall that quickly turns from
loaded active active to
loaded failed failed (less than 1 min).