Do you think the following seems like a sound solution?
/lib/systemd/system/qubes-updates-proxy.service.d/40_qubes-whonix.conf
## This file is part of Whonix. ## Copyright (C) 2012 - 2015 Patrick Schleizer <adrelanos@riseup.net> ## See the file COPYING for copying conditions. [Service] ## Clear the 'ExecStartPre' list. ## Prevent loading firewall rules: ExecStartPre=/usr/lib/qubes/iptables-updates-proxy start ExecStartPre= ## Clear the 'ExecStopPost' list. ## Prevent removing firewall rules: ExecStopPost=/usr/lib/qubes/iptables-updates-proxy stop ExecStopPost= ## XXX: Workaround. ## Re-adding a required 'ExecStartPre' item. ## Required until, qubes-core-agent 3.1.3 hits stable and everyone ## upgraded, i.e. until /usr/lib/tmpfiles.d/qubes-core-agent-linux.conf ## is in place. ## https://github.com/QubesOS/qubes-issues/issues/1401 ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy
Alternatively, I was wondering if I rather should produce a pull request against QubesOS either,
- a) split qubes-updates-proxy into qubes-updates-proxy and qubes-updates-proxy-iptables or,
- b) allow iptables-updates-proxy to be turned of by /etc/qubes/settings.d
What do you think?