The firewall rules for each qube are saved in an XML file in that qube’s directory in dom0:
/var/lib/qubes/appvms/<vm-name>/firewall.xml
You can check your VM rules in dom0: qvm-firewall sys-firewall list
The ICMP and DNS are accepted by default and can’t be blocked in GUI but can be blocked with qvm-firewall tool.
Try to test the rules with curl since ping is accepted.
What do you have in /etc/resolv.conf in sys-firewall?
When you ping IP in sys-firewall it works fine but when you ping domain (ping google.com) then what error do you get? Temporary failure in name resolution?
Create new qube with the same template as sys-firewall and same “Net qube” (is it sys-net?) and set “Provides network” option for it. Then check if it’ll have the same problem with ping.
I’d suggest you to test it to see if the problem will remain or not. If there won’t be a problem in new qube then search for a difference between these two qubes.
I don’t know why DNS doesn’t work in sys-firewall but work in sys-net. You must have changed something in fedora-34 template or in sys-firewall but I don’t know what you have changed.
You can try to test if the problem is in template by creating new qube and checking if DNS will work there.
in sys-net I see 443 accept for the connected sys-firewall(old version with settings */443) to it, with only the addition of ICMP accept.
New clear version of sys-firewall (which is the default with nothing in firewall rules in settings) has only “accept”, which I guess is accept all 53/443/etc.
In sys-firewall though, the same command shows me the connected “untrusted” appvm with the same 2 rules but with 2 additional:
ip daddr { two ips } tcp dport 53 accept
ip daddr { two ips } udp dport 53 accept
Is yours the same?
Does that mean that applying the */443 rule in the sys-firewall settings obliterates the two 53 rules, which may bring the problem, and if yes, why. In documentation icmp and dns said that are always set?
I have sys-firewall and sys-firewall2 both connected to sys-net.
sys-firewall with default firewall rules (accept all).
sys-firewall2 with accepted TCP */443.
In sys-net I have these rules:
for sys-firewall
chain qbs-10-138-26-x {
accept
reject with icmp type admin-prohibited
}
for sys-firewall2
chain qbs-10-137-0-y {
tcp dport 443 accept
ip daddr { 192.168.xx.1, 192.168.yy.1 } tcp dport 53 accept
ip daddr { 192.168.xx.1, 192.168.yy.1 } udp dport 53 accept
ip protocol icmp accept
reject with icmp type admin-prohibited
reject with icmp type admin-prohibited
}
Where 192.168.xx.1 and 192.168.yy.1 are nameserver IPs from sys-net /etc/resolv.conf.
Maybe you’ve somehow deleted from sys-firewall the firewall rule accepting DNS with qvm-firewall from dom0?
Or removed the dns rules for sys-firewall from sys-net with nft.
Do you have DNS accepted for sys-firewall in dom0? qvm-firewall sys-firewall
I haven’t deleted anything. There is a history in the terminal.
Mine looked like that: { 10.139.1.1-10.139.1.2 }.
Interestingly qvm-firewall sys-firewall shows me the dns present + icmp + 443, for the old configuration, it’s like yours. But it wasn’t shown in the sys-net nft table? In addition ss -atpu in sys-firewall shows port 53 there.
What fixed it ( strange it didn’t work the first time I tried ) is to apply */53/UDP in the settings in addition to */443. Now the internet is working. The qvm-firewall sys-firewall shows dns+icmp+53+443.
Could be a bug, removing the wi-fi device, or the PCI problem I had during install. Don’t know.