/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

qubes-firewall-user-script is only executed in sys-net and sys-firewall #4134

Closed
gasull opened this Issue Jul 24, 2018 · 2 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0 updates
3 participants
@gasull @marmarek @andrewdavidwong
@gasull

gasull commented Jul 24, 2018
edited
Edited 1 time
  • @gasull gasull edited Jul 24, 2018 (most recent)
  • @gasull gasull created Jul 24, 2018

Qubes OS version:

Qubes release 4.0 (R4.0)

Affected component(s):

Steps to reproduce the behavior:

  • Create a new qube.
  • In the new qube, edit /rw/config/qubes-firewall-user-script and add the following line: 
    echo hi | systemd-cat -t qubes-firewall
  • Shutdown the qube in the Qube Manager.
  • Open the terminal for the qube and enter this command: 
    journalctl -t qubes-firewall

Expected behavior:

The output of journalctl -t qubes-firewall should be this:

-- Logs begin at (...)
Jul 24 01:28:06 my-new-qube qubes-firewall[871]: hi

Or maybe /rw/config/qubes-firewall-user-script shouldn't confusingly exist in the TemplateVMs if there is a reason why we don't execute it.

Actual behavior:

The output of journalctl -t qubes-firewall is this:

-- No entries --

General notes:

I tried with iptables commands, but I wanted to prove the commands are not ignored for some resaon, but they are not even executed.

sys-net and sys-firewall do execute /rw/config/qubes-firewall-user-script, but the other qubes do not. This is true for both Fedora and Debian templates.

Related issues:

@andrewdavidwong andrewdavidwong added bug C: core labels Jul 24, 2018

@andrewdavidwong andrewdavidwong added this to the Release 4.0 updates milestone Jul 24, 2018

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 24, 2018

Member

This is expected behavior, see https://www.qubes-os.org/doc/config-files/
Specifically, you can enable qubes-firewall service (even in template, but that wouldn't make sense). Note that qubes-firewall service is about guarding traffic from connected VMs, so it this VM doesn't provide network to any other, there is no need for qubes-firewall service (which matches default configuration).
In non-network-providing VMs you can use /rw/config/rc.local for own firewall rules, there is no dynamic firewall updates, so nothing will override them.
Member

marmarek commented Jul 24, 2018

This is expected behavior, see https://www.qubes-os.org/doc/config-files/
Specifically, you can enable qubes-firewall service (even in template, but that wouldn't make sense). Note that qubes-firewall service is about guarding traffic from connected VMs, so it this VM doesn't provide network to any other, there is no need for qubes-firewall service (which matches default configuration).
In non-network-providing VMs you can use /rw/config/rc.local for own firewall rules, there is no dynamic firewall updates, so nothing will override them.

@marmarek marmarek closed this Jul 24, 2018

@andrewdavidwong andrewdavidwong added notanissue and removed bug labels Jul 24, 2018

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Jul 24, 2018

Member

Or maybe /rw/config/qubes-firewall-user-script shouldn't confusingly exist in the TemplateVMs if there is a reason why we don't execute it.

I guess they have to exist in TemplateVMs so that they can exist in the ProxyVMs based on those TemplateVMs.
Member

andrewdavidwong commented Jul 24, 2018

Or maybe /rw/config/qubes-firewall-user-script shouldn't confusingly exist in the TemplateVMs if there is a reason why we don't execute it.

I guess they have to exist in TemplateVMs so that they can exist in the ProxyVMs based on those TemplateVMs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment