You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: user/security-in-qubes/firewall.rst
+5-3Lines changed: 5 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -139,7 +139,7 @@ In order to allow networking from qube A (client) to qube B (server) follow thes
139
139
140
140
- Now you should be able to reach B from A – test it using e.g. ping issued from A. Note however, that this doesn’t allow you to reach A from B – for this you would need two more rules, with A and B swapped.
141
141
142
-
- If everything works as expected, then you should write the above nftables rules into firewallVM’s ``qubes-firewall-user-script`` script. This script is run when the netvm starts up. You should also write relevant rules in A and B’s ``rc.local`` script which is run when the qube is launched. Here’s an example how to update the script:
142
+
- If everything works as expected, then you should write the above nftables rules into firewallVM’s ``qubes-firewall-user-script`` script (see section :ref:`Where to put firewall rules <user/security-in-qubes/firewall:where to put firewall rules>`). This script is run when the netvm starts up. You should also write relevant rules in A and B’s ``rc.local`` script which is run when the qube is launched. Here’s an example how to update the script:
143
143
144
144
145
145
@@ -418,7 +418,7 @@ In this example, we can see 7 packets in the forward rule, and 3 packets in the
418
418
419
419
420
420
421
-
Once you have confirmed that the counters increase, store the commands used in the previous steps in ``/rw/config/qubes-firewall-user-script`` so they get set on sys-net start-up:
421
+
Once you have confirmed that the counters increase, store the commands used in the previous steps in ``/rw/config/qubes-firewall-user-script`` so they get set on sys-net start-up (see section :ref:`Where to put firewall rules <user/security-in-qubes/firewall:where to put firewall rules>`):
422
422
423
423
.. code:: console
424
424
@@ -477,7 +477,7 @@ Third step, code the appropriate new filtering firewall rule to allow new connec
477
477
478
478
479
479
480
-
Once you have confirmed that the counters increase, store these commands in the script ``/rw/config/qubes-firewall-user-script``
480
+
Once you have confirmed that the counters increase, store these commands in the script ``/rw/config/qubes-firewall-user-script`` (see section :ref:`Where to put firewall rules <user/security-in-qubes/firewall:where to put firewall rules>`):
481
481
482
482
.. code:: console
483
483
@@ -537,6 +537,8 @@ Where to put firewall rules
537
537
538
538
Implicit in the above example :doc:`scripts </user/advanced-topics/config-files>`, but worth calling attention to: for all qubes *except* those supplying networking, nftables commands should be added to the ``/rw/config/rc.local`` script. For service qubes supplying networking (``sys-firewall`` and ``sys-net`` inclusive), nftables commands should be added to ``/rw/config/qubes-firewall-user-script``.
539
539
540
+
Remember that you have to perform these changes in the corresponding disposable templates if the VMs are disposable VMs; otherwise the changes will get lost on restart of the VMs.
0 commit comments