Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update firewall.md documentation #605

Merged
merged 2 commits into from
Mar 7, 2018
Merged

Update firewall.md documentation #605

merged 2 commits into from
Mar 7, 2018

Conversation

adubois
Copy link
Contributor

@adubois adubois commented Feb 28, 2018

address issues related to the combined use of iptables and nftables as well as fix various typos and unclear parts.

@adubois
Update firewall.md documentation
bdca061 
address issues related to the combined use of iptables and nftables as well as fix various typos and unclear parts.
@adubois adubois mentioned this pull request Feb 28, 2018
Closed
8 tasks
marmarek
marmarek reviewed Feb 28, 2018
View reviewed changes
security/firewall.md Outdated

> Note: On Qubes R4, nftables is also used which imply that nft rules also need to be set. Qubes OS has defined a `qubes-firewall` table with a forward chain.

`nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.0.x tcp dport 443 ct state new counter accept`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, qubes-firewall service (by design) should only take care about traffic outgoing from a VM, not incoming. So, I'd consider the need for this line a bug. Let me fix it right now. And then replace this line with reference for appropriate package version.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@marmarek, I suspect you're very busy. This line is to document this exact use case (expose service in AppVM and open flow inbound through sys-net then sys-firewall) The sub-section title is something like expose a service to the outside world. I took care to lock it as much as possible at every stage.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The line as it is looks ok until the bug is resolved. Please add this ticket reference: QubesOS/qubes-issues#3644

adubois
adubois commented Mar 1, 2018
View reviewed changes
Copy link
Contributor Author

@adubois adubois left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hope I understood you correctly. Added the new bug ref to the doc.

@adubois
Copy link
Contributor Author

adubois commented Mar 1, 2018

@marmarek (mentioning you so you get an event in your queue)... also I’m not sure I still learn github workflow....

@andrewdavidwong andrewdavidwong requested a review from marmarek March 2, 2018 01:59
@andrewdavidwong andrewdavidwong assigned marmarek and unassigned adubois Mar 2, 2018
@andrewdavidwong andrewdavidwong merged commit a10e4fa into QubesOS:master Mar 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marmarek marmarek marmarek approved these changes

Assignees

@marmarek marmarek

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adubois @marmarek @andrewdavidwong