mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2025-01-25 22:16:10 -05:00
more /rw/config/ script tweaks
This commit is contained in:
parent
2bd320caad
commit
e259037ec3
@ -13,6 +13,7 @@ Qubes specific VM config files
|
|||||||
==============================
|
==============================
|
||||||
|
|
||||||
Those files are placed in /rw, which survives VM restart, so can be used to customize single VM (not all VMs based on the same template).
|
Those files are placed in /rw, which survives VM restart, so can be used to customize single VM (not all VMs based on the same template).
|
||||||
|
The scripts here all run as root.
|
||||||
|
|
||||||
- `/rw/config/rc.local` - script run at VM startup. Good place to change some service settings, replace config files with its copy stored in /rw/config etc. Example usage:
|
- `/rw/config/rc.local` - script run at VM startup. Good place to change some service settings, replace config files with its copy stored in /rw/config etc. Example usage:
|
||||||
|
|
||||||
@ -23,7 +24,8 @@ Those files are placed in /rw, which survives VM restart, so can be used to cust
|
|||||||
~~~
|
~~~
|
||||||
|
|
||||||
- `/rw/config/qubes-ip-change-hook` - script run in NetVM after external IP change (or connection to the network)
|
- `/rw/config/qubes-ip-change-hook` - script run in NetVM after external IP change (or connection to the network)
|
||||||
- `/rw/config/qubes-firewall-user-script` - script run in ProxyVM after firewall update. Good place to write own custom firewall rules
|
|
||||||
|
- `/rw/config/qubes-firewall-user-script` - script run in ProxyVM after each firewall update. Good place to write own custom firewall rules
|
||||||
- `/rw/config/suspend-module-blacklist` - list of modules (one per line) to be unloaded before system going to sleep. The file is used only in VM with some PCI devices attached. Supposed to be used for problematic device drivers.
|
- `/rw/config/suspend-module-blacklist` - list of modules (one per line) to be unloaded before system going to sleep. The file is used only in VM with some PCI devices attached. Supposed to be used for problematic device drivers.
|
||||||
|
|
||||||
Note that scripts need to be executable (chmod +x) to be used.
|
Note that scripts need to be executable (chmod +x) to be used.
|
||||||
|
@ -162,7 +162,7 @@ Setup
|
|||||||
to restart all proxy processes.
|
to restart all proxy processes.
|
||||||
|
|
||||||
7. To make sure that the proxy is started automatically when the AppVM
|
7. To make sure that the proxy is started automatically when the AppVM
|
||||||
starts change `/rw/config/qubes_firewall_user_script` to include the
|
starts change `/rw/config/qubes-firewall-user-script` to include the
|
||||||
following line:
|
following line:
|
||||||
|
|
||||||
/rw/config/tinyproxy/proxyctl.py update
|
/rw/config/tinyproxy/proxyctl.py update
|
||||||
@ -174,8 +174,8 @@ Setup
|
|||||||
|
|
||||||
Make sure that the script is owned by root and executable:
|
Make sure that the script is owned by root and executable:
|
||||||
|
|
||||||
sudo chown root:root /rw/config/qubes_firewall_user_script
|
sudo chown root:root /rw/config/qubes-firewall-user-script
|
||||||
sudo chmod 755 /rw/config/qubes_firewall_user_script
|
sudo chmod 755 /rw/config/qubes-firewall-user-script
|
||||||
|
|
||||||
8. In Qubes VM manager adjust Firewall rules for each AppVM with a
|
8. In Qubes VM manager adjust Firewall rules for each AppVM with a
|
||||||
proxy. In a typical case when only HTTP proxy should be used for
|
proxy. In a typical case when only HTTP proxy should be used for
|
||||||
|
@ -86,7 +86,7 @@ sudo iptables -I FORWARD 2 -s <IP address of A> -d <IP address of B> -j ACCEPT
|
|||||||
issues from VM A. Note however, that this doesn't allow you to reach A from
|
issues from VM A. Note however, that this doesn't allow you to reach A from
|
||||||
B -- for this you would need another rule, with A and B addresses swapped.
|
B -- for this you would need another rule, with A and B addresses swapped.
|
||||||
* If everything works as expected, then the above iptables rule(s) should be
|
* If everything works as expected, then the above iptables rule(s) should be
|
||||||
written into firewall VM's `qubes_firewall_user_script` script which is run
|
written into firewall VM's `qubes-firewall-user-script` script which is run
|
||||||
on every firewall update. This is necessary, because Qubes orders every
|
on every firewall update. This is necessary, because Qubes orders every
|
||||||
firewall VM to update all the rules whenever new VM is started in the system.
|
firewall VM to update all the rules whenever new VM is started in the system.
|
||||||
If we didn't enter our rules into this "hook" script, then shortly our custom
|
If we didn't enter our rules into this "hook" script, then shortly our custom
|
||||||
@ -97,8 +97,8 @@ sudo iptables -I FORWARD 2 -s <IP address of A> -d <IP address of B> -j ACCEPT
|
|||||||
|
|
||||||
~~~
|
~~~
|
||||||
[user@firewallvm ~]$ sudo bash
|
[user@firewallvm ~]$ sudo bash
|
||||||
[root@firewallvm user]# echo "iptables -I FORWARD 2 -s 10.137.2.25 -d 10.137.2.6 -j ACCEPT" >> /rw/config/qubes_firewall_user_script
|
[root@firewallvm user]# echo "iptables -I FORWARD 2 -s 10.137.2.25 -d 10.137.2.6 -j ACCEPT" >> /rw/config/qubes-firewall-user-script
|
||||||
[root@firewallvm user]# chmod +x /rw/config/qubes_firewall_user_script
|
[root@firewallvm user]# chmod +x /rw/config/qubes-firewall-user-script
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
Port forwarding to a VM from the outside world
|
Port forwarding to a VM from the outside world
|
||||||
@ -235,7 +235,7 @@ the service
|
|||||||
remove the ` -s 192.168.0.1/24 `
|
remove the ` -s 192.168.0.1/24 `
|
||||||
|
|
||||||
Once you have confirmed that the counters increase, store these command in
|
Once you have confirmed that the counters increase, store these command in
|
||||||
'/rw/config/qubes_firewall_user_script'
|
'/rw/config/qubes-firewall-user-script'
|
||||||
|
|
||||||
~~~
|
~~~
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
@ -284,7 +284,7 @@ fi
|
|||||||
Finally make this file executable (so it runs at every Firewall VM update)
|
Finally make this file executable (so it runs at every Firewall VM update)
|
||||||
|
|
||||||
~~~
|
~~~
|
||||||
sudo chmod +x /rw/config/qubes_firewall_user_script
|
sudo chmod +x /rw/config/qubes-firewall-user-script
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
**3. Allow packets into the VM to reach the service**
|
**3. Allow packets into the VM to reach the service**
|
||||||
@ -319,7 +319,10 @@ service is up :-)
|
|||||||
Where to put firewall rules
|
Where to put firewall rules
|
||||||
---------------------------
|
---------------------------
|
||||||
|
|
||||||
Implicit in the above example, but worth calling attention to: for all
|
Implicit in the above example [scripts](/doc/config-files/), but worth
|
||||||
VMs EXCEPT proxy VMs, iptables commands should be added to the
|
calling attention to: for all VMs EXCEPT proxy VMs, iptables commands
|
||||||
'/rw/config/rc.local' script. For proxy VMs, iptables commands should
|
should be added to the '/rw/config/rc.local' script. For proxy VMs
|
||||||
be added to '/rw/config/qubes_firewall_user_script'.
|
(sys-firewall inclusive) iptables commands should be added to
|
||||||
|
'/rw/config/qubes-firewall-user-script'. This is because a proxy VM is
|
||||||
|
constantly adjusting it's firewall, and therefore initial settings from
|
||||||
|
rc.local do not persist.
|
||||||
|
Loading…
x
Reference in New Issue
Block a user