Disabling qubes-network and qubes-firewall serivces does not work on Debian based templates

[qjoo]

Qubes OS version:

R3.2

Affected TemplateVMs:

Debian 9

Steps to reproduce the behavior:

• create a Debian based proxyVM
• disable the services:

qvm-service proxyvm1 -d qubes-network
qvm-service proxyvm1 -d qubes-firewall

• start the proxyvm1 and inspect iptables ruleset

Expected behavior:

/proc/sys/net/ipv4/ip_forward should be 0
iptables rules should be empty.

Actual behavior:

/proc/sys/net/ipv4/ip_forward is 1
iptables rules are present (as if qubes-network and qubes-firewall was not disabled)

This (disabling services) works as expected on Fedora 25 and 26 templates.
I stumbled on this problem when migrating from Fedora to Debian templates.

Mailing list post:
https://groups.google.com/forum/#!msg/qubes-users/jz_Z85WeY4Y/3VwY2az-BAAJ

[unman]

As I pointed out, this arises even for non proxy qubes. I don't see a difference between iptables for Fedora and Debian - both have the FORWARD chain set. But Debian has /etc/sysctl.d/80_qubes.conf setting /proc/sys/net/ipv4/ip_forward to 1.
This file is provided by qubes-core-agent.

[unman]

As I pointed out, this arises even for non proxy qubes. I don't see a difference between iptables for Fedora and Debian - both have the FORWARD chain set. But Debian has /etc/sysctl.d/80_qubes.conf setting /proc/sys/net/ipv4/ip_forward to 1.
This file is provided by qubes-core-agent.

[unman]

@qjoo Can you check again to see if the Fedora FORWARD chain is empty in iptables? It doesn't seem to be for me with the service disabled.
I'm content to leave it in any case, if forwarding itself is disabled, as it should be. Would you agree?

[unman]

@qjoo Can you check again to see if the Fedora FORWARD chain is empty in iptables? It doesn't seem to be for me with the service disabled.
I'm content to leave it in any case, if forwarding itself is disabled, as it should be. Would you agree?