Merge branch 'qubes-iptables'
Conflicts: debian/control rpm_spec/core-vm.spec QubesOS/qubes-issues#1067
This commit is contained in:
commit
8e497bffc0
13
Makefile
13
Makefile
@ -67,6 +67,9 @@ ifeq ($(shell lsb_release -is), Debian)
|
|||||||
# Wheezy Dropins
|
# Wheezy Dropins
|
||||||
# Disable sysinit 'network-manager.service' since systemd 'NetworkManager.service' is already installed
|
# Disable sysinit 'network-manager.service' since systemd 'NetworkManager.service' is already installed
|
||||||
DROPINS += $(strip $(if $(filter wheezy, $(shell lsb_release -cs)), network-manager.service,))
|
DROPINS += $(strip $(if $(filter wheezy, $(shell lsb_release -cs)), network-manager.service,))
|
||||||
|
|
||||||
|
# handled by qubes-iptables service now
|
||||||
|
DROPINS += netfilter-persistent.service
|
||||||
endif
|
endif
|
||||||
|
|
||||||
install-systemd-dropins:
|
install-systemd-dropins:
|
||||||
@ -83,6 +86,7 @@ install-systemd:
|
|||||||
install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/
|
install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/
|
||||||
install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
|
install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
|
||||||
install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
|
install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
|
||||||
|
install -m 0755 network/qubes-iptables $(DESTDIR)$(LIBDIR)/qubes/init/
|
||||||
|
|
||||||
install-sysvinit:
|
install-sysvinit:
|
||||||
install -d $(DESTDIR)/etc/init.d
|
install -d $(DESTDIR)/etc/init.d
|
||||||
@ -95,6 +99,7 @@ install-sysvinit:
|
|||||||
install vm-init.d/qubes-updates-proxy $(DESTDIR)/etc/init.d/
|
install vm-init.d/qubes-updates-proxy $(DESTDIR)/etc/init.d/
|
||||||
install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules
|
install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules
|
||||||
install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules
|
install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules
|
||||||
|
install network/qubes-iptables $(DESTDIR)/etc/init.d/
|
||||||
|
|
||||||
install-rh: install-systemd install-systemd-dropins install-sysvinit
|
install-rh: install-systemd install-systemd-dropins install-sysvinit
|
||||||
install -D -m 0644 misc/qubes-r3.repo $(DESTDIR)/etc/yum.repos.d/qubes-r3.repo
|
install -D -m 0644 misc/qubes-r3.repo $(DESTDIR)/etc/yum.repos.d/qubes-r3.repo
|
||||||
@ -117,9 +122,6 @@ install-rh: install-systemd install-systemd-dropins install-sysvinit
|
|||||||
install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf
|
install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf
|
||||||
install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login
|
install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login
|
||||||
|
|
||||||
install -m 0400 -D network/iptables $(DESTDIR)/usr/lib/qubes/init/iptables
|
|
||||||
install -m 0400 -D network/ip6tables $(DESTDIR)/usr/lib/qubes/init/ip6tables
|
|
||||||
|
|
||||||
install-common:
|
install-common:
|
||||||
$(MAKE) -C autostart-dropins install
|
$(MAKE) -C autostart-dropins install
|
||||||
install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab
|
install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab
|
||||||
@ -167,6 +169,9 @@ install-common:
|
|||||||
install -d $(DESTDIR)/etc/xdg/autostart
|
install -d $(DESTDIR)/etc/xdg/autostart
|
||||||
install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/show-hide-nm-applet.sh
|
install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/show-hide-nm-applet.sh
|
||||||
install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
|
install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
|
||||||
|
install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
|
||||||
|
install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
|
||||||
|
|
||||||
|
|
||||||
install -d $(DESTDIR)/$(SBINDIR)
|
install -d $(DESTDIR)/$(SBINDIR)
|
||||||
install network/qubes-firewall $(DESTDIR)/$(SBINDIR)/
|
install network/qubes-firewall $(DESTDIR)/$(SBINDIR)/
|
||||||
@ -226,8 +231,6 @@ install-deb: install-common install-systemd install-systemd-dropins
|
|||||||
mkdir -p $(DESTDIR)/etc/apt/sources.list.d
|
mkdir -p $(DESTDIR)/etc/apt/sources.list.d
|
||||||
sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list
|
sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list
|
||||||
install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
|
install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
|
||||||
install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4
|
|
||||||
install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6
|
|
||||||
install -D -m 644 network/00notify-hook $(DESTDIR)/etc/apt/apt.conf.d/00notify-hook
|
install -D -m 644 network/00notify-hook $(DESTDIR)/etc/apt/apt.conf.d/00notify-hook
|
||||||
install -d $(DESTDIR)/etc/sysctl.d
|
install -d $(DESTDIR)/etc/sysctl.d
|
||||||
install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/
|
install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/
|
||||||
|
1
debian/control
vendored
1
debian/control
vendored
@ -18,7 +18,6 @@ Depends:
|
|||||||
init-system-helpers,
|
init-system-helpers,
|
||||||
initscripts,
|
initscripts,
|
||||||
iptables,
|
iptables,
|
||||||
iptables-persistent,
|
|
||||||
librsvg2-bin,
|
librsvg2-bin,
|
||||||
libvchan-xen,
|
libvchan-xen,
|
||||||
locales,
|
locales,
|
||||||
|
59
network/qubes-iptables
Executable file
59
network/qubes-iptables
Executable file
@ -0,0 +1,59 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# qubes-iptables Start Qubes base iptables firewall
|
||||||
|
#
|
||||||
|
# chkconfig: 2345 08 92
|
||||||
|
# description: Loads iptables firewall
|
||||||
|
#
|
||||||
|
# config: /etc/qubes/iptables.rules
|
||||||
|
# config: /etc/qubes/ip6tables.rules
|
||||||
|
#
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: iptables
|
||||||
|
# Required-Start:
|
||||||
|
# Required-Stop:
|
||||||
|
# Default-Start: 2 3 4 5
|
||||||
|
# Default-Stop: 0 1 6
|
||||||
|
# Short-Description: Loads Qubes base iptables firewall
|
||||||
|
# Description: Loads Qubes base iptables firewall
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
IPTABLES=iptables
|
||||||
|
IPTABLES_DATA_DIR=/etc/qubes
|
||||||
|
|
||||||
|
if [ ! -x /sbin/$IPTABLES ]; then
|
||||||
|
echo $"${IPTABLES}: /sbin/$IPTABLES does not exist."
|
||||||
|
exit 5
|
||||||
|
fi
|
||||||
|
|
||||||
|
start() {
|
||||||
|
ipt=$1
|
||||||
|
IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules
|
||||||
|
CMD=$ipt
|
||||||
|
# Do not start if there is no config file.
|
||||||
|
[ ! -f "$IPTABLES_DATA" ] && return 6
|
||||||
|
|
||||||
|
echo -n $"${CMD}: Applying firewall rules: "
|
||||||
|
|
||||||
|
$CMD-restore $IPTABLES_DATA
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
echo OK
|
||||||
|
else
|
||||||
|
echo FAIL; return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
return $ret
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
start iptables && start ip6tables
|
||||||
|
RETVAL=$?
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo $"Usage: ${IPTABLES} start"
|
||||||
|
RETVAL=2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit $RETVAL
|
@ -37,7 +37,6 @@ Requires: yum-plugin-post-transaction-actions
|
|||||||
Requires: NetworkManager >= 0.8.1-1
|
Requires: NetworkManager >= 0.8.1-1
|
||||||
%if %{fedora} >= 18
|
%if %{fedora} >= 18
|
||||||
# Fedora >= 18 defaults to firewalld, which isn't supported nor needed by Qubes
|
# Fedora >= 18 defaults to firewalld, which isn't supported nor needed by Qubes
|
||||||
Requires: iptables-services
|
|
||||||
Conflicts: firewalld
|
Conflicts: firewalld
|
||||||
%endif
|
%endif
|
||||||
Requires: /usr/bin/mimeopen
|
Requires: /usr/bin/mimeopen
|
||||||
@ -122,33 +121,11 @@ usermod -L user
|
|||||||
(cd qrexec; make install DESTDIR=$RPM_BUILD_ROOT)
|
(cd qrexec; make install DESTDIR=$RPM_BUILD_ROOT)
|
||||||
make install-vm DESTDIR=$RPM_BUILD_ROOT
|
make install-vm DESTDIR=$RPM_BUILD_ROOT
|
||||||
|
|
||||||
cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables.qubes
|
|
||||||
cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables.qubes
|
|
||||||
|
|
||||||
%triggerin -- initscripts
|
%triggerin -- initscripts
|
||||||
if [ -e /etc/init/serial.conf ]; then
|
if [ -e /etc/init/serial.conf ]; then
|
||||||
cp /usr/share/qubes/serial.conf /etc/init/serial.conf
|
cp /usr/share/qubes/serial.conf /etc/init/serial.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
%triggerin -- iptables
|
|
||||||
if ! grep -q IPTABLES_DATA /etc/sysconfig/iptables-config; then
|
|
||||||
cat <<EOF >>/etc/sysconfig/iptables-config
|
|
||||||
|
|
||||||
### Automatically added by Qubes:
|
|
||||||
# Override default rules location on Qubes
|
|
||||||
IPTABLES_DATA=/etc/sysconfig/iptables.qubes
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! grep -q IP6TABLES_DATA /etc/sysconfig/ip6tables-config; then
|
|
||||||
cat <<EOF >>/etc/sysconfig/ip6tables-config
|
|
||||||
|
|
||||||
### Automatically added by Qubes:
|
|
||||||
# Override default rules location on Qubes
|
|
||||||
IP6TABLES_DATA=/etc/sysconfig/ip6tables.qubes
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
|
|
||||||
%post
|
%post
|
||||||
|
|
||||||
# disable some Upstart services
|
# disable some Upstart services
|
||||||
@ -198,16 +175,6 @@ EOF
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Make sure that /etc/sysconfig/ip(|6)tables exists. Otherwise iptales.service
|
|
||||||
# would not start (even when configured to use another configuration file.
|
|
||||||
if [ ! -e '/etc/sysconfig/iptables' ]; then
|
|
||||||
ln -s iptables.qubes /etc/sysconfig/iptables
|
|
||||||
fi
|
|
||||||
if [ ! -e '/etc/sysconfig/ip6tables' ]; then
|
|
||||||
ln -s ip6tables.qubes /etc/sysconfig/ip6tables
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
|
# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
|
||||||
# in the form expected by qubes-sysinit.sh
|
# in the form expected by qubes-sysinit.sh
|
||||||
if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
|
if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
|
||||||
@ -356,10 +323,8 @@ rm -f %{name}-%{version}
|
|||||||
%config /etc/qubes/autostart/*.desktop.d/30_qubes.conf
|
%config /etc/qubes/autostart/*.desktop.d/30_qubes.conf
|
||||||
%config(noreplace) /etc/sudoers.d/qubes
|
%config(noreplace) /etc/sudoers.d/qubes
|
||||||
%config(noreplace) /etc/sudoers.d/qt_x11_no_mitshm
|
%config(noreplace) /etc/sudoers.d/qt_x11_no_mitshm
|
||||||
%config(noreplace) /etc/sysconfig/iptables.qubes
|
%config(noreplace) /etc/qubes/iptables.rules
|
||||||
%config(noreplace) /etc/sysconfig/ip6tables.qubes
|
%config(noreplace) /etc/qubes/ip6tables.rules
|
||||||
/usr/lib/qubes/init/iptables
|
|
||||||
/usr/lib/qubes/init/ip6tables
|
|
||||||
%config(noreplace) /etc/tinyproxy/filter-updates
|
%config(noreplace) /etc/tinyproxy/filter-updates
|
||||||
%config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
|
%config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
|
||||||
%config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules
|
%config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules
|
||||||
@ -450,6 +415,7 @@ The Qubes core startup configuration for SysV init (or upstart).
|
|||||||
/etc/init.d/qubes-core-netvm
|
/etc/init.d/qubes-core-netvm
|
||||||
/etc/init.d/qubes-firewall
|
/etc/init.d/qubes-firewall
|
||||||
/etc/init.d/qubes-netwatcher
|
/etc/init.d/qubes-netwatcher
|
||||||
|
/etc/init.d/qubes-iptables
|
||||||
/etc/init.d/qubes-updates-proxy
|
/etc/init.d/qubes-updates-proxy
|
||||||
/etc/init.d/qubes-qrexec-agent
|
/etc/init.d/qubes-qrexec-agent
|
||||||
/etc/sysconfig/modules/qubes-core.modules
|
/etc/sysconfig/modules/qubes-core.modules
|
||||||
@ -475,8 +441,6 @@ done
|
|||||||
chkconfig rsyslog on
|
chkconfig rsyslog on
|
||||||
chkconfig haldaemon on
|
chkconfig haldaemon on
|
||||||
chkconfig messagebus on
|
chkconfig messagebus on
|
||||||
chkconfig iptables on
|
|
||||||
chkconfig ip6tables on
|
|
||||||
chkconfig --add qubes-core || echo "WARNING: Cannot add service qubes-core!"
|
chkconfig --add qubes-core || echo "WARNING: Cannot add service qubes-core!"
|
||||||
chkconfig qubes-core on || echo "WARNING: Cannot enable service qubes-core!"
|
chkconfig qubes-core on || echo "WARNING: Cannot enable service qubes-core!"
|
||||||
chkconfig --add qubes-core-netvm || echo "WARNING: Cannot add service qubes-core-netvm!"
|
chkconfig --add qubes-core-netvm || echo "WARNING: Cannot add service qubes-core-netvm!"
|
||||||
@ -487,6 +451,8 @@ chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes-firewa
|
|||||||
chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!"
|
chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!"
|
||||||
chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!"
|
chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!"
|
||||||
chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!"
|
chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!"
|
||||||
|
chkconfig --add qubes-iptables || echo "WARNING: Cannot add service qubes-iptables!"
|
||||||
|
chkconfig qubes-iptables on || echo "WARNING: Cannot enable service qubes-iptables!"
|
||||||
chkconfig --add qubes-updates-proxy || echo "WARNING: Cannot add service qubes-updates-proxy!"
|
chkconfig --add qubes-updates-proxy || echo "WARNING: Cannot add service qubes-updates-proxy!"
|
||||||
chkconfig qubes-updates-proxy on || echo "WARNING: Cannot enable service qubes-updates-proxy!"
|
chkconfig qubes-updates-proxy on || echo "WARNING: Cannot enable service qubes-updates-proxy!"
|
||||||
chkconfig --add qubes-qrexec-agent || echo "WARNING: Cannot add service qubes-qrexec-agent!"
|
chkconfig --add qubes-qrexec-agent || echo "WARNING: Cannot add service qubes-qrexec-agent!"
|
||||||
@ -530,6 +496,7 @@ The Qubes core startup configuration for SystemD init.
|
|||||||
/lib/systemd/system/qubes-mount-home.service
|
/lib/systemd/system/qubes-mount-home.service
|
||||||
/lib/systemd/system/qubes-netwatcher.service
|
/lib/systemd/system/qubes-netwatcher.service
|
||||||
/lib/systemd/system/qubes-network.service
|
/lib/systemd/system/qubes-network.service
|
||||||
|
/lib/systemd/system/qubes-iptables.service
|
||||||
/lib/systemd/system/qubes-sysinit.service
|
/lib/systemd/system/qubes-sysinit.service
|
||||||
/lib/systemd/system/qubes-update-check.service
|
/lib/systemd/system/qubes-update-check.service
|
||||||
/lib/systemd/system/qubes-update-check.timer
|
/lib/systemd/system/qubes-update-check.timer
|
||||||
@ -541,6 +508,7 @@ The Qubes core startup configuration for SystemD init.
|
|||||||
%dir /usr/lib/qubes/init
|
%dir /usr/lib/qubes/init
|
||||||
/usr/lib/qubes/init/prepare-dvm.sh
|
/usr/lib/qubes/init/prepare-dvm.sh
|
||||||
/usr/lib/qubes/init/network-proxy-setup.sh
|
/usr/lib/qubes/init/network-proxy-setup.sh
|
||||||
|
/usr/lib/qubes/init/qubes-iptables
|
||||||
/usr/lib/qubes/init/misc-post.sh
|
/usr/lib/qubes/init/misc-post.sh
|
||||||
/usr/lib/qubes/init/misc-post-stop.sh
|
/usr/lib/qubes/init/misc-post-stop.sh
|
||||||
/usr/lib/qubes/init/mount-home.sh
|
/usr/lib/qubes/init/mount-home.sh
|
||||||
@ -565,11 +533,14 @@ if [ $1 -eq 1 ]; then
|
|||||||
else
|
else
|
||||||
services="qubes-dvm qubes-misc-post qubes-firewall qubes-mount-home"
|
services="qubes-dvm qubes-misc-post qubes-firewall qubes-mount-home"
|
||||||
services="$services qubes-netwatcher qubes-network qubes-sysinit"
|
services="$services qubes-netwatcher qubes-network qubes-sysinit"
|
||||||
services="$services qubes-updates-proxy qubes-qrexec-agent"
|
services="$services qubes-iptables qubes-updates-proxy qubes-qrexec-agent"
|
||||||
for srv in $services; do
|
for srv in $services; do
|
||||||
/bin/systemctl --no-reload preset $srv.service
|
/bin/systemctl --no-reload preset $srv.service
|
||||||
done
|
done
|
||||||
/bin/systemctl --no-reload preset qubes-update-check.timer
|
/bin/systemctl --no-reload preset qubes-update-check.timer
|
||||||
|
# Upgrade path - now qubes-iptables is used instead
|
||||||
|
/bin/systemctl --no-reload preset iptables.service
|
||||||
|
/bin/systemctl --no-reload preset ip6tables.service
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Set default "runlevel"
|
# Set default "runlevel"
|
||||||
|
@ -42,6 +42,8 @@ disable fedora-storage-init.service
|
|||||||
disable fedora-storage-init-late.service
|
disable fedora-storage-init-late.service
|
||||||
disable hwclock-load.service
|
disable hwclock-load.service
|
||||||
disable ipmi.service
|
disable ipmi.service
|
||||||
|
disable iptables.service
|
||||||
|
disable ip6tables.service
|
||||||
disable irqbalance.service
|
disable irqbalance.service
|
||||||
disable mcelog.service
|
disable mcelog.service
|
||||||
disable mdmonitor-takeover.service
|
disable mdmonitor-takeover.service
|
||||||
@ -68,7 +70,6 @@ enable qubes-mount-home.service
|
|||||||
enable qubes-firewall.service
|
enable qubes-firewall.service
|
||||||
enable qubes-netwatcher.service
|
enable qubes-netwatcher.service
|
||||||
enable qubes-meminfo-writer.service
|
enable qubes-meminfo-writer.service
|
||||||
enable iptables.service
|
enable qubes-iptables.service
|
||||||
enable ip6tables.service
|
|
||||||
enable haveged.service
|
enable haveged.service
|
||||||
enable chronyd.service
|
enable chronyd.service
|
||||||
|
2
vm-systemd/netfilter-persistent.service.d/30_qubes.conf
Normal file
2
vm-systemd/netfilter-persistent.service.d/30_qubes.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
[Unit]
|
||||||
|
ConditionPathExists=/var/run/qubes-service/netfilter-persistent
|
12
vm-systemd/qubes-iptables.service
Normal file
12
vm-systemd/qubes-iptables.service
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Qubes base firewall settings
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/lib/qubes/init/qubes-iptables start
|
||||||
|
StandardOutput=syslog
|
||||||
|
StandardError=syslog
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=basic.target
|
@ -2,7 +2,7 @@
|
|||||||
Description=Qubes network forwarding setup
|
Description=Qubes network forwarding setup
|
||||||
ConditionPathExists=/var/run/qubes-service/qubes-network
|
ConditionPathExists=/var/run/qubes-service/qubes-network
|
||||||
Before=network.target
|
Before=network.target
|
||||||
After=iptables.service
|
After=qubes-iptables.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
Description=Qubes updates proxy (tinyproxy)
|
Description=Qubes updates proxy (tinyproxy)
|
||||||
ConditionPathExists=|/var/run/qubes-service/qubes-yum-proxy
|
ConditionPathExists=|/var/run/qubes-service/qubes-yum-proxy
|
||||||
ConditionPathExists=|/var/run/qubes-service/qubes-updates-proxy
|
ConditionPathExists=|/var/run/qubes-service/qubes-updates-proxy
|
||||||
After=iptables.service
|
After=qubes-iptables.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy
|
ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy
|
||||||
|
Loading…
Reference in New Issue
Block a user