On 5/14/21 4:08 PM, unman wrote: > On Fri, May 14, 2021 at 03:55:50PM +0100, [email protected] > wrote: >> >>> With salt? `qubesctl state.apply qvm.sys-firewall` should do it. >>> >>> But sys-firewall is just a qube with networking enabled, "provides-network" >>> set to True and >>> memory 500. >>> >> >> Ok, maybe there's another issue. Currently I'm not able to expose a port to >> outside world (outside my qubes box) which was working 1/2 year ago but now >> it doesn't: >> I've tried these scripts to do it: >> - https://github.com/QubesOS/qubes-issues/issues/5693 >> (https://gist.github.com/fepitre/941d7161ae1150d90e15f778027e3248) >> - https://github.com/QubesOS/qubes-issues/issues/4028 >> (https://github.com/niccokunzmann/qvm-expose-port) >> - https://gist.github.com/jpouellet/d8cd0eb8589a5b9bf0c53a28fc530369 >> >> In my vm-to-be-exposed I used besides the service I actually want to expose >> the following: >> - python3 -m http.server >> - netcat -lv port >> >> Connections in my local network to this AppVM using the IP of my qubes-NetVM >> all fail with a timeout. If I'm trying to connect from my qubes box to a >> simple ubuntu with an exposed port it works. >> >> That's why my hypothesis was that I messed up my firewall qube. >> >> Any ides how I could tackle down the problem? >> > > Have you read https://www.qubes-os.org/doc/firewall ? > What templates are you using for sys-net and sys-firewall? > > Start at sys-net - you should have a rule directing inbound traffic to > <port> to sys-firewall. > Open a terminal in sys-net, and observe the counters in PRE-ROUTING and > FORWARD. > Attempt to make a connection - the counters should increment. > > Do the same in sys-firewall. > Again, when you try to make a connection, you should see the counters > increment. > > Do the same in the target qube. Here you should see the counter > increment in the filter chain. > > Stepping down the network chain like this will help you identify where > your problem lies. >
Thanks, these hints helped to find the reason: sleep-suspend somehow messes up sys-net. After restarting it, everything worked. Any idea which service I could restart instead of restarting the whole sys-net? Mess up of my wifi adapter I could "repair" by service wpa_supplicant restart. But iptable forward rules created by - https://github.com/QubesOS/qubes-issues/issues/5693 (https://gist.github.com/fepitre/941d7161ae1150d90e15f778027e3248) only work after a sys-net restart. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/68d9fba3-75a8-a264-42b4-e7f0f70d980a%40gmx.de.
