Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-10-11 10:08:39 -04:00
Code Issues Projects Releases Packages Wiki Activity

Shorter text change

Browse source
This commit is contained in:
Dr. Gerhard Weck 2025-09-16 11:18:41 +02:00 committed by GitHub
parent d7fa3cb26a
commit 8760a08d2d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 5 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
user/security-in-qubes/firewall.rst
View file

@ -139,7 +139,7 @@ In order to allow networking from qube A (client) to qube B (server) follow thes
- Now you should be able to reach B from A test it using e.g. ping issued from A. Note however, that this doesnt allow you to reach A from B for this you would need two more rules, with A and B swapped.
- If everything works as expected, then you should write the above nftables rules into firewallVMs ``qubes-firewall-user-script`` script. This script is run when the netvm starts up. Remember that you have to perform this change in the disposable template if the firewallVM is a disposable VM; otherwise the change will get lost on restart of the VM. You should also write relevant rules in A and Bs ``rc.local`` script which is run when the qube is launched. Heres an example how to update the script:
- If everything works as expected, then you should write the above nftables rules into firewallVMs ``qubes-firewall-user-script`` script. This script is run when the netvm starts up. You should also write relevant rules in A and Bs ``rc.local`` script which is run when the qube is launched. Heres an example how to update the script:
@ -418,7 +418,7 @@ In this example, we can see 7 packets in the forward rule, and 3 packets in the
Once you have confirmed that the counters increase, store the commands used in the previous steps in ``/rw/config/qubes-firewall-user-script`` so they get set on sys-net start-up, and remember that you have to perform this change in the disposable template if sys-net is a disposable VM; otherwise the change will get lost on restart of the VM:
Once you have confirmed that the counters increase, store the commands used in the previous steps in ``/rw/config/qubes-firewall-user-script`` so they get set on sys-net start-up:
.. code:: console
@ -477,7 +477,7 @@ Third step, code the appropriate new filtering firewall rule to allow new connec
Once you have confirmed that the counters increase, store these commands in the script ``/rw/config/qubes-firewall-user-script`` , and remember that you have to perform this change in the disposable template if the firewallVM is a disposable VM; otherwise the change will get lost on restart of the VM.
Once you have confirmed that the counters increase, store these commands in the script ``/rw/config/qubes-firewall-user-script``
.. code:: console
@ -537,6 +537,8 @@ Where to put firewall rules
Implicit in the above example :doc:`scripts </user/advanced-topics/config-files>`, but worth calling attention to: for all qubes *except* those supplying networking, nftables commands should be added to the ``/rw/config/rc.local`` script. For service qubes supplying networking (``sys-firewall`` and ``sys-net`` inclusive), nftables commands should be added to ``/rw/config/qubes-firewall-user-script``.
Remember that you have to perform these changes in the corresponding disposable templates if the VMs are disposable VMs; otherwise the changes will get lost on restart of the VMs.
Firewall troubleshooting
------------------------