Start qubes-firewall (which will add "DROP by default" rule) before
enabling IP forwarding, to not leave a time slot where some connection
could go around configured firewall.
QubesOS/qubes-issues#3269
In some cases it may make sense to enfoce outgoing firewall also on
sys-net. If the service is disabled, firewall settings will be
(silently) ignored, so better be on the safe side and enable.
QubesOS/qubes-issues#3290
When qubes-firewall service is started, modify firewall to have "DROP"
policy, so if something goes wrong, no data got leaked.
But keep default action "ACCEPT" in case of legitimate service stop, or
not starting it at all - because one may choose to not use this service
at all.
Achieve this by adding "DROP" rule at the end of QBS-FIREWALL chain and
keep it there while qubes-firewall service is running.
FixesQubesOS/qubes-issues#3269
4.0 template builds use `<package>.install` files with dh_install. The
differences between Debian and Ubuntu packages also need to be represented
in these files.
* qubesos/pr/63:
archlinux: restore setup of pam.d/su-l
archlinux: remove python3 dependency
archlinux: ensure [options] section is present in all pacman drop-ins
archlinux: enforce usage of python2 in all scripts
Makefile: avoid using python interpreter as a static name
archlinux: create user 'user' using bash by default instead of zsh
archlinux: ship pam.d/qrexec as a replacement of using su
archlinux: do not mess with locales in post-install script
archlinux: remove pam configuration for su and su-l
archlinux: remove deprecated setup of pam since v4.0.3
Add the 4.0 repo to the PKGBUILD sources list
Restore the binary pacman repo and update it for QubesOS 4.0
Fix the makefile for archlinux - SBINDIR is already /usr/bin
Update the arch PKGBUILD script for QubesOS 4.0
systemd-timesyncd.service isn't enough, for various reasons:
- it is started too early in the boot process - files in
/var/run/qubes-services are not yet there
- by default it does only one shot synchronization, and there is no
network at that early boot time yet
- by default use-ntp is set to "no"
So, in addition, enable actual ntp client.
FixesQubesOS/qubes-issues#3210
Since the qubes-download-dom0-updates script executes dnf with fakeroot, some dnf plugins like etckeeper break the update with "Permission denied" errors.
qubes-gui agent calls su-l instead of initializing its own pam
session such as qrexec.
pam.d/su-l qubes specific configuration must be restored to ensure
that the user login session is properly initialized:
https://github.com/QubesOS/qubes-issues/issues/3185
* fixes-20171019:
debian: cleanup after splitting qubes-core-agent
Fix removing temporary file after editing in (Disp)VM
network: fix rules for network setup on new udev
debian: disable timer-based apt-get