Okay, I suppose you can just kill the update service. Is there a separate service for this? And disable it. Checking for updates is just one of the things that gets into the clearnet, so I don’t want to emphasize it. I also don’t want this topic to be compared with others on the problem of checking for updates. Solving my problem will also solve the problem of checking for updates and this is something more global, like a firewall or killswitch.
I shared how to proceed a few messages above, see Route ALL Qubes traffic through VPN - #7 by DVM
qvm-service <qube> qubes-update-check off
Does this mean that one of the appvms initiates checking for updates? What about dom0?
After thinking about it, I think it should be best to use a custom sys-net like running OpenBSD or a custom linux distribution. sys-net firewall is managed by Qubes OS, the ruleset is huge and modifying it drasticly to block everything except a few IPs may be a risk because Qubes OS may want to do stuff on the rulesets after, and introduce unwanted changes.
all appvm do this by default
dom0 does this using a proxy (different from the one used to update templates) to check but also update, this is defined in the updates tab in the global config manager.
So i need to create an openbsd template? Just running a clean OpenBSD image as a standalone won’t work? What if I use an existing Debian template and name the cube mynetqube, plug an adapter into it - it will be subject to qubes control?
I don’t understand you. “update proxy” (for Template and Dom0) sys-whonix selected, but I asked about checking for updates, not downloading them. Initiating a check starts appvm, as well as dom0, respectively, the system determines what needs to be sent for a check via sys-net. Can we trick the system and leave sys-net empty/without adapter and use mynetqube to which sys-firewall is connected instead? Or will the system look for sys-firewall first?)
However, updates can be disabled and it will work, so I am not very interested in it. But a cube-level firewall with an adapter is very necessary
Do i need to enter this only for templates or for appvm as well? What about disposables?
can you answer the questions above?