Re: [qubes-users] ftp'ing to a computer on my LAN from an AppVM that is using a VPN proxyVM?

Yes - you need to adjust the firewall rules on the vpn qube to direct
(ftp) traffic from the source ip to the local network - you could make
this *highly* specific by specifying the destination in the new rule.

What method are you using to set up the vpn?

Is there a way to ftp to another computer on my LAN from a appvm that is
using a proxyvm?

I am able to ftp to other computers when I set this appvm to just use the
default firewall, but sometimes I forget to set it back to use a vpn vm; but
if I have the appvm using the vpn/proxy vm then I am unable to reach any of
the other computers on my LAN?

Please advise

Yes - you need to adjust the firewall rules on the vpn qube to direct
(ftp) traffic from the source ip to the local network - you could make
this *highly* specific by specifying the destination in the new rule.

pardon my ignorance but how would I do that? I know it would be in settings -> firewall settings but after that it gets a bit fuzzy?

What method are you using to set up the vpn?

I used the new community vpn setup

> > Is there a way to ftp to another computer on my LAN from a appvm that is
> > using a proxyvm?
> >
> > I am able to ftp to other computers when I set this appvm to just use the
> > default firewall, but sometimes I forget to set it back to use a vpn vm; but
> > if I have the appvm using the vpn/proxy vm then I am unable to reach any of
> > the other computers on my LAN?
> >
> > Please advise
> >
>
> Yes - you need to adjust the firewall rules on the vpn qube to direct
> (ftp) traffic from the source ip to the local network - you could make
> this *highly* specific by specifying the destination in the new rule.

pardon my ignorance but how would I do that? I know it would be in settings
-> firewall settings but after that it gets a bit fuzzy?

Well, you cant do it there, because you need to adjust the firewall
rules implemented ON the vpn qube.

> What method are you using to set up the vpn?
>

I used the new community vpn setup

Right - but there are 2 methods outlined on that github page (if that's what
you mean by community vpn) - 3 if you include "vpn on sys-net". Did you
follow the "iptables and CLI scripts" section?

There's an added issue that you will have to consider and that is the
nature of FTP connections - when a client connects to a server, the
server may create a link back to a port specified in the original
connection: this is non-passive(active) ftp. If your FTP server does
this then you will have to enable a route through to the client qube.

The client may instead send a PASV command - then the server *may* send
back a listening port number, and the client will create a link to that
port.

So there are 4 possibilities, and the firewall rules you need will
depend on what are the capabilities of the server. Best check on that.

Thanks unman,
I used the Qubes OS contributed package "qubes tunnel".
I am not sure about my server, is there a "standard" way to check that? (the server is running unraid, which is/was based on slackware so am hoping there might be a way to check that would work on most distros?).

For the iptables and cli scripts part, would that still apply to using the "qubes tunnel" setup option?