Hi,
in case I messed up my firewall qube:
With salt? `qubesctl state.apply qvm.sys-firewall` should do it.
But sys-firewall is just a qube with networking enabled, "provides-network" set to True and
memory 500.
The states for disposable sys-* are in master, not in the 4.0 branch, so
not part of 4.0.4. No reason why you couldnt try backporting it into a
4.0
With salt? `qubesctl state.apply qvm.sys-firewall` should do it.
But sys-firewall is just a qube with networking enabled, "provides-network" set to True and
memory 500.
Ok, maybe there's another issue. Currently I'm not able to expose a port to outside world (outside my qubes box) which was working 1/2 year ago but now it doesn't:
I've tried these scripts to do it:
- [Contribution] qvm-portfwd-iptables · Issue #5693 · QubesOS/qubes-issues · GitHub
(Qubes-os port forwarding to allow external connections · GitHub)
- [Contribution] qvm-expose-port · Issue #4028 · QubesOS/qubes-issues · GitHub
(GitHub - niccokunzmann/qvm-expose-port: Expose a qubes vm port to the public interfaces of the sys-net vm.)
- Forwards a specified port to a specified VM, auto-detecting its NetVM chain. (Qubes OS) · GitHub
In my vm-to-be-exposed I used besides the service I actually want to expose the following:
- python3 -m http.server
- netcat -lv port
Connections in my local network to this AppVM using the IP of my qubes-NetVM all fail with a timeout. If I'm trying to connect from my qubes box to a simple ubuntu with an exposed port it works.
That's why my hypothesis was that I messed up my firewall qube.
Any ides how I could tackle down the problem?
Have you read https://www.qubes-os.org/doc/firewall ?
What templates are you using for sys-net and sys-firewall?
Start at sys-net - you should have a rule directing inbound traffic to
<port> to sys-firewall.
Open a terminal in sys-net, and observe the counters in PRE-ROUTING and
FORWARD.
Attempt to make a connection - the counters should increment.
Do the same in sys-firewall.
Again, when you try to make a connection, you should see the counters
increment.
Do the same in the target qube. Here you should see the counter
increment in the filter chain.
Stepping down the network chain like this will help you identify where
your problem lies.
Thanks, these hints helped to find the reason: sleep-suspend somehow messes up sys-net. After restarting it, everything worked. Any idea which service I could restart instead of restarting the whole sys-net? Mess up of my wifi adapter I could "repair" by service wpa_supplicant restart. But iptable forward rules created by
- [Contribution] qvm-portfwd-iptables · Issue #5693 · QubesOS/qubes-issues · GitHub
(Qubes-os port forwarding to allow external connections · GitHub)
only work after a sys-net restart.
I'm not familiar with that script but you **should** be able to rerun it
without harm.
(It should have been written to allow you to do this.)