Qubes-firewall-user-script fails to execute on appVM startup

ephile · September 19, 2023, 7:56pm

I tried implementing a DNS hijacking script in /rw/config/qubes-firewall-user-script on a standalone Mullvad VPN vm, but the script fails to execute whenever I start the vm. I’m not sure why it’s not executing, but seems like there should be an easy fix.

If I execute the script manually from the CLI it modifies the firewall as expected and everything works fine. I tried chown to see if user or root made a difference, but no effect. I ran chmod +x on the file and it has the same permissions as /rw/config/rc.local which executes normally. The qubes-firewall service is enabled.

It’s not really relevant, since the code works fine from the command line, but the hijacking script is found on this page.

I’d appreciate any suggestions on what to try next.

Bearillo · September 19, 2023, 8:27pm

This may be a bug related to:

github.com/QubesOS/qubes-issues

qubes-firewall-user-script not called when AppVM connects

opened 11:33PM - 17 Sep 23 UTC

closed 01:29PM - 18 Sep 23 UTC

UndeadDevel

T: bug R: duplicate P: default

### Qubes OS release 4.1.2 ### Brief summary I followed the guide at [this …page](https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/http-proxy.md) to set up a proxyVM, but encountered multiple issues, the most severe one of which is that qubes-firewall-user-script does not get called when an AppVM connects to the proxy VM, which prevents the proxy from updating and thus blocks all connections. ### Steps to reproduce Follow steps in guide, choosing the option of setting up a separate proxyVM, and set up one AppVM for the proxy. It will not be able to connect to whitelisted sites until the python script is manually executed in the proxyVM (if following the guide then that means `sudo /rw/config/tinyproxy/proxyctl.py` from a terminal in the proxyVM or even `qvm-run -u root proxyVM "/rw/config/qubes-firewall-user-script"` from dom0 will make it work). ### Expected behavior qubes-firewall-user-script is called when an AppVM connects to the proxyVM ### Actual behavior qubes-firewall-user-script is called when the proxyVM boots, but not when the AppVM connects. ### Additional issues It's unclear what I'm supposed to be doing with the qubes-firewall service. The qubes-firewall-user-script says I should activate in the AppVM, but it's unclear if that refers to the proxyVM or the one connecting; this is also not mentioned in the guide. I tried all combinations (both, none, only in connecting VM, only in proxyVM) but that does not fix the issue. Also, that guide seems to be pretty old and needs to be updated. The config file has outdated entries at lines 16-19. The python script uses Python 1, which is not installed anymore in the debian-12 template by default, so it should be updated to Python 3 (I don't really know Python, but I still managed to do it with about a dozen changes, though someone who knows the language should do it properly). ### Related issues Note that this is supposed to have been fixed in #3260.

ephile · September 19, 2023, 9:04pm

Looks like it’s a regression and we’ll have to wait for the bug fix. Since /rw/config/rc.local executes I implemented the following hack and it’s working now:

root@standaloneVM:~# echo “/rw/config/qubes-firewall-user/script” >> /rw/config/rc.local