Firewall troubleshooting in Qubes 4.2

red-pepper-pesto · January 19, 2024, 8:13pm

I am trying to set up a second sys-net behind sys-firewall like below

sys-net-2 --> sys-firewall --> sys-net --> Internet

Not able to reach internet from sys-net-2. Running ping www.duck.com command from sys-net-2 along with tcpdump shows that sys-firewall is returning a response to eth0 but the response is not sent to the application. Below is the tcpdump output from sys-net-2.

 eth0  Out IP 10.137.0.11.51727 > 10.139.1.1.domain: 576+ A? www.duck.com. (30)
 eth0  Out IP 10.137.0.11.51727 > 10.139.1.1.domain: 63325+ AAAA? www.duck.com. (30)
 eth0  Out IP 10.137.0.11.40421 > 10.139.1.1.domain: 10107+ PTR? 1.1.139.10.in-addr.arpa. (41)
 eth0  P   IP 10.139.1.1.domain > 10.137.0.11.40421: 10107 ServFail 0/0/0 (41)
 eth0  P   IP 10.139.1.1.domain > 10.137.0.11.51727: 576 2/0/0 CNAME duck.com., A 40.89.244.232 (60)
 eth0  P   IP 10.139.1.1.domain > 10.137.0.11.51727: 63325 1/1/0 CNAME duck.com. (109)
 eth0  Out IP 10.137.0.11.59122 > 10.139.1.2.domain: 576+ A? www.duck.com. (30)
 eth0  Out IP 10.137.0.11.59122 > 10.139.1.2.domain: 63325+ AAAA? www.duck.com. (30)
 eth0  P   IP 10.139.1.2.domain > 10.137.0.11.59122: 576 2/0/0 CNAME duck.com., A 40.89.244.232 (60)
 eth0  P   IP 10.139.1.2.domain > 10.137.0.11.59122: 63325 1/1/0 CNAME duck.com. (109)
 eth0  Out IP 10.137.0.11.53663 > 10.139.1.2.domain: 10107+ PTR? 1.1.139.10.in-addr.arpa. (41)
 eth0  P   IP 10.139.1.2.domain > 10.137.0.11.53663: 10107 ServFail 0/0/0 (41)

Below is the response for the ping command

$ ping www.duck.com
ping: www.duck.com: Temporary failure in name resolution

I have multipart question

Is this a nftables firewall issue? I see ServFail in tcpdump output and not sure if it has anything to do with the ping not working.
How to access nftables logs? The qubes docs states that the firewall logs can be accessed using the command journalctl -u qubes-firewall.service. But they seem to be for the qubes firewall service and not for nftables.

deceiver · January 19, 2024, 9:53pm

How to access nftables logs?

https://wiki.nftables.org/wiki-nftables/index.php/Logging_traffic

Enable this in sys-net-2, sys-firewall, and sys-net.
Hope it helps.

red-pepper-pesto · January 20, 2024, 10:09pm

For anyone interested the cause is using ethernet.cloned-mac-address=stable in sys-net-2. The sys-firewall sends packets to sys-net-2 with <mac address 1> but sys-net-2 has eth0 in a different mac address. Hence sys-net-2 assumes the packet is destined to another machine. It is evident by looking into the tcpdump output in the original post. The second column has P which means the packets are destined for another machine. It should be In. I removed ethernet.cloned-mac-address=stable from sys-net-2 and it works.