Hi there,
I’m having an issue with the qubes firewall, no idea why. I’m on R4.1.0 and connection of my appVM is not working properly.
Brief description
I limited access with Qubes Firewall GUI to some entries. When added some more, the appVM would stop having networking access. With the exceptions set, but allowing all outgoing connections I would anyway have access blocked.
Details
I was using the Firewall GUI to add some restrictions to a new appVM. When I reached certain number of exceptions to which traffic could go, things would go wrong.
I added a new last exception. At first I noticed the VM had no connection anymore, so I turned the “Allow full access” on, and it wouldn’t go anyway. So I removed the last exception, and everything was back to normal.
I tried with a new exception to another address. It would seem it worked at first, but adding again, problems came again. I tested and noticed that DNS and ICMP would not work either. Pings would tell “Packet filtered”. Which had no sense, as with the firewall GUI, ICMP and DNS are not supposed to be blocked. In fact checking the rules from dom0, I would get:
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 accept oneaddress.tld - - - - - -
19 accept twoaddress.tld - - - - - -
20 accept threeaddress.tld - - - - - -
21 accept - - - dns - - -
22 accept - icmp - - - - -
23 drop - - - - - - -
Setting the Firewall GUI to allow all connections still blocks all access including ICMP filtering. I have to manually remove all entries in the firewall GUI and set allow all outgoing in order for the networking to work again normally.
I checked with: sudo journalctl -u qubes-firewall.service and all it says is:
-- Boot hexacode --
Mar 26 22:18:40 *TemplateVM* systemd[1]: Condition check resulted in Qubes firewall updater being skipped.
-- Boot hexacode --
Mar 29 15:30:46 *AppVM* systemd[1]: Condition check resulted in Qubes firewall updater being skipped.
Does anyone have any idea how to troubleshoot it? All help is appreciated.
Thank you in advance.