Removing */443 from firewall settings on sys-firewall fixes it.
Why?
Isn’t that the place to put the additional firewall rules for all connected VMs, instead 1 by 1 from their settings?
DNS works for me if I just add TCP */443 allow rule:
$ qvm-firewall sys-firewall2
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 accept - tcp 443 - - - -
1 accept - - - dns - - -
2 accept - icmp - - - - -
3 drop - - - - - - -
Maybe you’ve changed something for your qube. Like configured DNS over TLS or something like this.
I don’t do things I’m not familiar with. I haven’t.
It’s very peculiar.
I’d suggest adding iptables -j LOG rules in sys-firewall and sys-net to see where the connections are going.
When I use:
sudo nft list table qubes-firewall
in sys-net I see 443 accept for the connected sys-firewall(old version with settings */443) to it, with only the addition of ICMP accept.
New clear version of sys-firewall (which is the default with nothing in firewall rules in settings) has only “accept”, which I guess is accept all 53/443/etc.
In sys-firewall though, the same command shows me the connected “untrusted” appvm with the same 2 rules but with 2 additional:
ip daddr { two ips } tcp dport 53 accept
ip daddr { two ips } udp dport 53 accept
Is yours the same?
Does that mean that applying the */443 rule in the sys-firewall settings obliterates the two 53 rules, which may bring the problem, and if yes, why. In documentation icmp and dns said that are always set?
I have sys-firewall and sys-firewall2 both connected to sys-net.
sys-firewall with default firewall rules (accept all).
sys-firewall2 with accepted TCP */443.
In sys-net I have these rules:
for sys-firewall
chain qbs-10-138-26-x {
accept
reject with icmp type admin-prohibited
}
for sys-firewall2
chain qbs-10-137-0-y {
tcp dport 443 accept
ip daddr { 192.168.xx.1, 192.168.yy.1 } tcp dport 53 accept
ip daddr { 192.168.xx.1, 192.168.yy.1 } udp dport 53 accept
ip protocol icmp accept
reject with icmp type admin-prohibited
reject with icmp type admin-prohibited
}
Where 192.168.xx.1 and 192.168.yy.1 are nameserver IPs from sys-net /etc/resolv.conf.
Maybe you’ve somehow deleted from sys-firewall the firewall rule accepting DNS with qvm-firewall from dom0?
Or removed the dns rules for sys-firewall from sys-net with nft.
Do you have DNS accepted for sys-firewall in dom0?
qvm-firewall sys-firewall
I haven’t deleted anything. There is a history in the terminal.
Mine looked like that: { 10.139.1.1-10.139.1.2 }.
Interestingly qvm-firewall sys-firewall shows me the dns present + icmp + 443, for the old configuration, it’s like yours. But it wasn’t shown in the sys-net nft table? In addition ss -atpu in sys-firewall shows port 53 there.
What fixed it ( strange it didn’t work the first time I tried ) is to apply */53/UDP in the settings in addition to */443. Now the internet is working. The qvm-firewall sys-firewall shows dns+icmp+53+443.
Could be a bug, removing the wi-fi device, or the PCI problem I had during install. Don’t know.