/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

qubes_firewall_user_script is not executed at boot #1944

Closed
lorenzog opened this Issue May 3, 2016 · 2 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
No milestone
3 participants
@lorenzog @marmarek @andrewdavidwong
@lorenzog

lorenzog commented May 3, 2016

Qubes OS version (e.g., R3.1):

3.1

Affected TemplateVMs (e.g., fedora-23, if applicable):

fedora-23
debian-8

Expected behavior:

IPTABLES rules in /rw/config/qubes_firewall_user_script should persist across reboots

Actual behavior:

IPTABLES rules are not loaded from /rw/config/qubes_firewall_user_script

Steps to reproduce the behavior:

Place rules in /rw/config/qubes_firewall_user_script, e.g.:

iptables -I INPUT 2 -p icmp -j ACCEPT

Make the script executable (chmod +x ....)

Reboot the VM.

Verify the rules are not loaded.

General notes:

A solution consists in adding this line to /rw/config/rc.local so that rc.local executes the firewall script automatically (don't forget to make rc.local executable)

/rw/config/qubes-firewall-user-script

Related issues:

Relevant labels:

@andrewdavidwong andrewdavidwong added bug C: core P: minor labels May 4, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek May 4, 2016

Member

This script is called only in ProxyVM (https://www.qubes-os.org/doc/config-files/). Is it the case?
Member

marmarek commented May 4, 2016

This script is called only in ProxyVM (https://www.qubes-os.org/doc/config-files/). Is it the case?
@lorenzog

This comment has been minimized.

Show comment
Hide comment
@lorenzog

lorenzog May 5, 2016

Ah, fair enough. I was expecting it to be executed in AppVMs too; I needed a NFS share to be mounted between a HVM and an AppVM so I needed to open a few ports on the AppVM's own firewall.

I was following this: https://www.qubes-os.org/doc/qubes-firewall/ and I thought I could apply the same reasoning to all VMs. To be hones I just found this https://www.qubes-os.org/doc/config-files/ which does mention proxy VMs, so never mind :)

lorenzog commented May 5, 2016

Ah, fair enough. I was expecting it to be executed in AppVMs too; I needed a NFS share to be mounted between a HVM and an AppVM so I needed to open a few ports on the AppVM's own firewall.

I was following this: https://www.qubes-os.org/doc/qubes-firewall/ and I thought I could apply the same reasoning to all VMs. To be hones I just found this https://www.qubes-os.org/doc/config-files/ which does mention proxy VMs, so never mind :)

@lorenzog lorenzog closed this May 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment