As stated here:
The firewall rules for each qube are saved in an XML file in that qube’s directory in dom0:
/var/lib/qubes/appvms/<vm-name>/firewall.xml
You can check your VM rules in dom0:
qvm-firewall sys-firewall list
The ICMP and DNS are accepted by default and can’t be blocked in GUI but can be blocked with qvm-firewall tool.
Try to test the rules with curl since ping is accepted.
What do you have in /etc/resolv.conf in sys-firewall?
When you ping IP in sys-firewall it works fine but when you ping domain (ping google.com) then what error do you get? Temporary failure in name resolution?
/etc/resolv.conf:
nameserver 10.139.1.1
nameserver 10.139.1.2
sys-firewall ping google.com “No such name or service”.
sys-firewall ping 8.8.8.8 is OK.
Create new qube with the same template as sys-firewall and same “Net qube” (is it sys-net?) and set “Provides network” option for it. Then check if it’ll have the same problem with ping.
I left that for a final measure(if it works at all), as I want to understand why doesn’t work now.
Still can’t find a solution thought.
I’d suggest you to test it to see if the problem will remain or not. If there won’t be a problem in new qube then search for a difference between these two qubes.
Another laptop with I219-lm:
Thanks.
I reviewed that post and checked.
For me it is set. I have device and the internet shows as connected.
I guess it is some setting, still trying to figure it out.
Yes, it’s a problem with DNS.
What template do you use for sys-net/sys-firewall?
If it’s old fedora-35 template then maybe it’s this bug:
But it should be fixed in latest fedora-35 template.
It is the default fedora 34 with the 4.1 iso on the Qubes site.
I don’t know why DNS doesn’t work in sys-firewall but work in sys-net. You must have changed something in fedora-34 template or in sys-firewall but I don’t know what you have changed.
You can try to test if the problem is in template by creating new qube and checking if DNS will work there.
Removing */443 from firewall settings on sys-firewall fixes it.
Why?
Isn’t that the place to put the additional firewall rules for all connected VMs, instead 1 by 1 from their settings?
DNS works for me if I just add TCP */443 allow rule:
$ qvm-firewall sys-firewall2
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 accept - tcp 443 - - - -
1 accept - - - dns - - -
2 accept - icmp - - - - -
3 drop - - - - - - -
Maybe you’ve changed something for your qube. Like configured DNS over TLS or something like this.
I don’t do things I’m not familiar with. I haven’t.
It’s very peculiar.
I’d suggest adding iptables -j LOG rules in sys-firewall and sys-net to see where the connections are going.
When I use:
sudo nft list table qubes-firewall
in sys-net I see 443 accept for the connected sys-firewall(old version with settings */443) to it, with only the addition of ICMP accept.
New clear version of sys-firewall (which is the default with nothing in firewall rules in settings) has only “accept”, which I guess is accept all 53/443/etc.
In sys-firewall though, the same command shows me the connected “untrusted” appvm with the same 2 rules but with 2 additional:
ip daddr { two ips } tcp dport 53 accept
ip daddr { two ips } udp dport 53 accept
Is yours the same?
Does that mean that applying the */443 rule in the sys-firewall settings obliterates the two 53 rules, which may bring the problem, and if yes, why. In documentation icmp and dns said that are always set?
I have sys-firewall and sys-firewall2 both connected to sys-net.
sys-firewall with default firewall rules (accept all).
sys-firewall2 with accepted TCP */443.
In sys-net I have these rules:
for sys-firewall
chain qbs-10-138-26-x {
accept
reject with icmp type admin-prohibited
}
for sys-firewall2
chain qbs-10-137-0-y {
tcp dport 443 accept
ip daddr { 192.168.xx.1, 192.168.yy.1 } tcp dport 53 accept
ip daddr { 192.168.xx.1, 192.168.yy.1 } udp dport 53 accept
ip protocol icmp accept
reject with icmp type admin-prohibited
reject with icmp type admin-prohibited
}
Where 192.168.xx.1 and 192.168.yy.1 are nameserver IPs from sys-net /etc/resolv.conf.
Maybe you’ve somehow deleted from sys-firewall the firewall rule accepting DNS with qvm-firewall from dom0?
Or removed the dns rules for sys-firewall from sys-net with nft.
Do you have DNS accepted for sys-firewall in dom0?
qvm-firewall sys-firewall
I haven’t deleted anything. There is a history in the terminal.
Mine looked like that: { 10.139.1.1-10.139.1.2 }.
Interestingly qvm-firewall sys-firewall shows me the dns present + icmp + 443, for the old configuration, it’s like yours. But it wasn’t shown in the sys-net nft table? In addition ss -atpu in sys-firewall shows port 53 there.
What fixed it ( strange it didn’t work the first time I tried ) is to apply */53/UDP in the settings in addition to */443. Now the internet is working. The qvm-firewall sys-firewall shows dns+icmp+53+443.
Could be a bug, removing the wi-fi device, or the PCI problem I had during install. Don’t know.