I noticed sys-firewall is now disposable by default, that means everything is gone after reboot. I need to add some NAT rules for my pihole qube to redirect dns traffic to pihole.
I studied documentation here Firewall | Qubes OS, but it seems it does not reflect recent change of sys-firewall to dispvm, as it recommends to write down the rules to /rw/config/qubes-firewall-user-script or /rw/config/rc.local - both these files are lost after reboot.
So far I ended up with easy script which I added to desktop and I execute after notebook reboot. My pihole cube is debian 11 with ip 10.137.0.64.
Script pihole.sh on dom0:
qvm-run --pass-io sys-firewall -- 'echo "iptables -I FORWARD -p udp --dport 53 -j ACCEPT iptables -I FORWARD -p tcp --dport 53 -j ACCEPT iptables -t nat -F PR-QBS iptables -t nat -I PR-QBS -i vif+ -p udp ! -s 10.137.0.64 --dport 53 -j DNAT --to-destination 10.137.0.64 iptables -t nat -I PR-QBS -i vif+ -p tcp ! -s 10.137.0.64 --dport 53 -j DNAT --to-destination 10.137.0.64" | sudo tee /rw/config/qubes-firewall-user-script; sudo /rw/config/qubes-firewall-user-script'
And it works, but I wanted to know if there is better way how to achieve this.
Thank you for help.