From fbddb85b9707ed51f03478662bc22e024ec66ec4 Mon Sep 17 00:00:00 2001 From: "Manuel Amador (Rudd-O)" Date: Tue, 11 Oct 2016 19:20:10 +0000 Subject: [PATCH] More documentation. --- README.md | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3cc7c68..f302e17 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ #Qubes network server -This software lets you turn your Qubes OS machine into a network server. +This software lets you turn your [Qubes OS](https://www.qubes-os.org/) machine into a network server, enjoying all the benefits of Qubes OS (isolation, secure inter-VM process communication, ease of use) with none of the drawbacks of setting up your own Xen server. ##Enhanced networking model @@ -47,7 +47,7 @@ a ProxyVM `server-proxy`, which in turn is connected to a NetVM to your laptop on the same physical network, which we'll assume has IP address `192.168.1.8`. -###Assign a static address to `httpserver` +###Assign a static address First step is to assign an address — let's make it `192.168.1.6` — to `httpserver`: @@ -56,12 +56,12 @@ to `httpserver`: qvm-static-ip -s httpserver static_ip 192.168.1.6 ``` -###Restart `httpserver` +###Restart VM Due to limitations in this release of the code, you must power off the `httpserver` VM and then power it back on. -###Set firewall rules on `httpserver` +###Set firewall rules on VM Launch the Qubes Manager preferences window for the `httpserver` VM. Go to the *Firewall rules* tab and select *Deny network access @@ -76,6 +76,10 @@ Note the trick here — any address whose text begins with `from-` gets transformed into an incoming traffic rule, as opposed to the standard rules that control only outbound traffic. +**Security note**: the default "allow all" firewall leaves all ports +of the VM accessible to the world. To the extent that you can avoid +it, do not use the "allow all" firewall setting at all. + Back on the main dialog, click *OK*. ###That's it! @@ -91,6 +95,19 @@ inbound connections. You'll also note that `httpserver` has received no permission to engage in any sort of outbound network traffic. +##Inter-VM network communication + +This software isn't limited to just letting network servers be +accessible from your physical network. VMs can talk among each +other too. Simple instructions: + +* Set up a static IP address for each VM. +* Set up the appropriate rules to let them talk to each other. + +VMs so authorized can talk to each other over the network, +even when they do not share a ProxyVM between them, of course, +so long as their ProxyVMs share the same NetVM. + ##Disabling network server Two-step process. Step one: