Firewall

User Support
1

Hello. I tried to follow this instruction Firewall | Qubes OS
But i was defeated. I have a service running in dest-vm on port 1111
I need it to be available in untrust-vm on localhost:2222
untrust-vm is not connected to the network, so netvm for it is (none)
Do you have any ideas on how to do this?

2

you need to write a qubes-rpc policy, this is exactly how templates can download packages while having no netvm

3

I did it according to this instruction Firewall | Qubes OS
And I get this error when trying to connect

Request refused
2024/03/20 12:24:51 socat E waitpid(): child 2868 exited with status 126

What’s wrong?

4

The “Request refused” part would mean that the policy is incorrect or doesn’t allow the qube to use the qrexec service qubes.ConnectTCP.

1 Like
5

I thank you for your reply, but how to solve the problem? Is the official instruction not up-to-date?

6

You should probably post what you did in dom0 and inside both qubes so it can be checked and corrected.

1 Like
7 
#dom0
/etc/qubes/policy.d/30-user-networking.policy
qubes.ConnectTCP * untrust-vm @default allow target=dest-vm

[user@untrust-vm #]$ qvm-connect-tcp 2222:@default:1111
Binding TCP '@default:1111' to 'localhost:2222'...

Everything is the same as in the instructions. It’s hard to make a mistake with copy-paste.

8

Is the target qube name in the policy correct? If so, it should work. Can you reach the service within the qube that is running it?

1 Like
9

Problem solved. Initially, according to the instructions, I made the desired filename.policy and specified another.policy - and for some reason it doesn’t want to work that way. I changed it to the same as in the instructions and everything worked. But I have another problem) VNC is running on Dest-vm and remmina from Untrust-VM easily connects to the vnc server. But I want to connect to vnc through a browser and use a noVNC server. I can go to the connection page, but I can’t connect to Vnc. “failed to connet to server” What did I miss? Does it require other ports?

10

If remmina works and the browser does not, that would mean the problem is somewhere else, since you can access it outside the browser.

1 Like
11

I can access the novnc start page from the browser, which means that there is a connection. But the connection to the vnc server does not go further. What exactly do you think could be the reason?

12

Where exactly is the novnc server? It must point to the VNC server and port, so make sure it does. I’ve been able to get it to work with 2 qubes right now with novnc_server --vnc 127.0.0.1:5091 (check your port with sudo ss -lntp).

1 Like
13

The standard port is 5901. I’ve tried running novnc on both dest-vm and untrust-vm. In both cases, I gave access to the ports (qvm-connect-tcp 5901:@default:5901 and qvm-connect-tcp 6080:@default:6080) Only remmina connects to the 5901, and through the browser to the 6080 you can only get the novnc start page, the connection does not go further

14

I don’t know if this matters, but take a look at the JavaScript console, there are some hints, like this:

Firefox can’t establish a connection to the server at ws://host:6080/websockify.

I understand ws://host:080 this is something that is not available untrust-vm
However, this happens even when novnc is running on untrust-vm…

15

Here’s my setup with 2 qubes client and server:

  • client with novnc

    • started with novnc_server --vnc 127.0.0.1:5901 (default port is 5900 based on the doc, so I override it)
    • execute qvm-connect-tcp 5901:@default:5901
    • open firefox on 127.0.0.1:6080
    • click on connect and put password set on tigervnc
    • connected and can see the remote session

  • server with tigervnc

    • started with vncserver
    • session port is 5901

If this doesn’t work for you, something is wrong with novnc on the client side or something is not set correctly on the vnc server side.

1 Like
16

I did exactly the same thing, but the magic ends at the moment of “connecting”. When trying to connect “failed to connect to server”

17

Make sure you have the correct ports. If it can’t connect, it could be because the port is wrong or the vnc server is blocking the client (check your vnc server logs in $HOME/.vnc/).

1 Like
18

2024-03-20 21:39:42.311 qrexec-fork-server[59766]: qrexec-agent-data.c:293:handle_new_process_common: executed: QUBESRPC whonix.SdwdateStatus+ sys-whonix (pid 59768)
2024-03-20 21:39:42.348 qrexec-fork-server[59766]: qrexec-agent-data.c:324:handle_new_process_common: pid 59768 exited with 0

every time I click “connect” on the Novnc page

19

Can you tell what your two qubes are based on? I see whonix there, so I’m not sure.

1 Like
20

dest-vm - whonix-ws, and untrust-vm is debian