I’d like to suggest a git repository with qvm-firewall rules for common applications. For example, the following is required to install signal-desktop:
# 1. Install our official public software signing key:
wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > /usr/share/keyrings/signal-desktop-keyring.gpg
# 2. Add our repository to your list of repositories:
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] http://updates.signal.org/desktop/apt xenial main' | tee /etc/apt/sources.list.d/signal-xenial.list
# 3. Update your package database and install Signal:
apt-get update
apt-get --yes install signal-desktop
And with the following qvm-firewall rules, it works well for me:
# Reset the firewall (deletes all rules and sets it to "policy accept", which is dumb)
qvm-firewall app-signal reset
# Delete the default accept rule
qvm-firewall app-signal del --rule-no 0
# Add allow list
qvm-firewall app-signal add accept api.snapcraft.io tcp 443
qvm-firewall app-signal add accept chat.signal.org tcp 443
qvm-firewall app-signal add accept storage.signal.org tcp 443
qvm-firewall app-signal add accept storage-manager.signal.org tcp 443
qvm-firewall app-signal add accept cdn.signal.org tcp 443
The firewall rules required can be determined using tools like tcpdump in sys-firewall, you can set final rule in the qbs-1-2-3-4 chain to log packages and you can use dnscrypt-proxy in a sys-dns VM to log all queried domains to the query.log.
The only issue I face is CDNs changing the resolved IPs, especially while travelling, but nftables only resolves the IP when the rule is applied of course. For this I was thinking to maybe have an allow-list in dnscrypt-proxy, and if an allowed domain is resolved, that triggers the creation/update of the according nftables rule.
How do you guys approach this and should we create a community repo for those rules?