From 1cb9453b318683cf9300d73743e19c181023fcce Mon Sep 17 00:00:00 2001 From: fz72 Date: Sat, 23 Mar 2024 20:48:39 +0000 Subject: [PATCH] Update firewall.md - route from outside the world - correct: nft list table ip qubes instead of nft list table ip qubes-firewall - location of firewall script in sys-net - additional note for interface --- user/security-in-qubes/firewall.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user/security-in-qubes/firewall.md b/user/security-in-qubes/firewall.md index 95b28673..d4597e39 100644 --- a/user/security-in-qubes/firewall.md +++ b/user/security-in-qubes/firewall.md @@ -308,12 +308,12 @@ nft add rule qubes custom-forward iif == "ens6" ip saddr 192.168.x.y/24 ip daddr > Note: If you do not wish to limit the IP addresses connecting to the service, remove `ip saddr 192.168.x.y/24` from the rules -> If you want to expose the service on multiple interfaces, repeat the steps 2 and 3 described above, for each interface. +> If you want to expose the service on multiple interfaces, repeat the steps 2 and 3 described above, for each interface. Alternatively, you can leave out the interface completely. Verify the rules on sys-net firewall correctly match the packets you want by looking at its counters, check for the counter lines in the chains `custom-forward` and `custom-dnat-qubeDEST`: ``` -nft list table ip qubes-firewall +nft list table ip qubes ``` In this example, we can see 7 packets in the forward rule, and 3 packets in the dnat rule: @@ -335,7 +335,7 @@ chain custom-dnat-qubeDEST { telnet 192.168.x.n 443 ``` -Once you have confirmed that the counters increase, store the commands used in the previous steps in `/rw/config/rc.local` so they get set on sys-net start-up: +Once you have confirmed that the counters increase, store the commands used in the previous steps in `/rw/config/qubes-firewall-user-script` so they get set on sys-net start-up: ``` [user@sys-net user]$ sudo -i