qubes-firewall-user-script not called when AppVM connects #8521
Description
Qubes OS release
4.1.2
Brief summary
I followed the guide at this page to set up a proxyVM, but encountered multiple issues, the most severe one of which is that qubes-firewall-user-script does not get called when an AppVM connects to the proxy VM, which prevents the proxy from updating and thus blocks all connections.
Steps to reproduce
Follow steps in guide, choosing the option of setting up a separate proxyVM, and set up one AppVM for the proxy.
It will not be able to connect to whitelisted sites until the python script is manually executed in the proxyVM (if following the guide then that means sudo /rw/config/tinyproxy/proxyctl.py from a terminal in the proxyVM or even qvm-run -u root proxyVM "/rw/config/qubes-firewall-user-script" from dom0 will make it work).
Expected behavior
qubes-firewall-user-script is called when an AppVM connects to the proxyVM
Actual behavior
qubes-firewall-user-script is called when the proxyVM boots, but not when the AppVM connects.
Additional issues
It's unclear what I'm supposed to be doing with the qubes-firewall service. The qubes-firewall-user-script says I should activate in the AppVM, but it's unclear if that refers to the proxyVM or the one connecting; this is also not mentioned in the guide. I tried all combinations (both, none, only in connecting VM, only in proxyVM) but that does not fix the issue.
Also, that guide seems to be pretty old and needs to be updated. The config file has outdated entries at lines 16-19. The python script uses Python 1, which is not installed anymore in the debian-12 template by default, so it should be updated to Python 3 (I don't really know Python, but I still managed to do it with about a dozen changes, though someone who knows the language should do it properly).
Related issues
Note that this is supposed to have been fixed in #3260.