On Sat, Aug 21, 2021 at 12:08:55AM +0200, Giulio wrote:

> Hi,
> as an addendum to the previous email, the problema was the fact that the
> first rule to match in the qubes-firewall table, forward chain was:
> iifname !="*vif" accept
> By moving that to the end of the chain, the attached one is the new
> trace which makes a lot more sense and increase the counters.
> However, I still cannot see any traffic reaching the next hop.

Check if that isn't iptables blocking it. By default it does block new
connections coming from outside. I initially thought it would interfere
only at the final hop, but maybe at an earlier too...


-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab