Caution: The default disposable template has a different net qube setting than this qube

I am trying to get my AppVM’s and AppTemplates in order and as secure as possible. I am mostly using the default settings that came after installation. I also installed whonix on first boot and made it the default so everything is enclosed by tor.

Now, when navigating to the settings of an AppVM or AppTemplates, I am noticing a yellow triangle with an exclamation mark inside of it, and when you hover the mouse over it it says

Caution: The default disposable template (see the advanced tab) has a different net qube setting than
this qube. This configuration may result in unexpected network access.
For example you may have set this qubes net qube to “None” in order to prevent any data from being transmitted out.
However, if the default disposable template’s net qube is set to “sys-firewall”, then a disposable started from this qube
may be able to transmit data out, contrary to your intention. You may wish to set the default disposable template
for this qube to one with equally restrictive network settings.

I’m a bit confused as to what this means and need some clarification about this message.

For example, in my AppQube personal under Basic Settings, my net qube is sys-firewall. Next to it (on the right) reads the above error message. Under the Advanced tab, I DO NOT have the Disposable template box checkmarked, however my default disposable template is default (whonix-workstation-17-dvm).

I forgot to document all of the settings after first boot, but am surprised that Qubes has these errors/warnings right out of the box as default. The only thing that I can think of which may have changed my Default disposable template settings is when opened up the Qubes Global Config Menu, and changed the Default template: to whonix-workstation-17. And also change the Default disposable template to whonix-workstation-17-dvm, which I am not sure of was a good idea or not.

Can someone explain to me what this original warning really means in further detail, how it relates to qubes security, and how I can fix all of my AppQubes and AppTemplates to no longer give me this warning? And how its all relevant for disposable qubes? thanks.

When using the network in your personal qube, you’ll go through sys-firewall. If from that qube you decide to open a file in a disposable, that disposable would access the network via… sys-whonix I suppose. (Whatever the net qube for whonix-workstation-17-dvm is.)

That may not be a problem to you, but the warning is there because that behaviour might be surprising.

Note how the typical example is setting an AppVM net qube to “none”, but missing the fact that a document opened from that qube in a DispVM might not be isolated from the network because the DispVM net qube is (in that example) sys-firewall. That may be a nasty surprise, hence the warning.

The goal of the warning is to bring your attention to that mismatch. If the mismatch doesn’t bother you, it’s not a problem for Qubes OS, things will work.

I hope that helps.

That’s not related to the warning. (Though I see why you would think it may be, the names happen to be similar that’s all.)