sys-firewall-no-lan has rules to drop packets to 192.168.x.0/24
sys-firewall-only-lan has rules to drop packets except to 192.168.x.0/24
This seemed like a clean way to do what I want, and it works. I’m wondering though if it might be better to just apply the firewalling rules on vm1, vm2, etc. duplicatively (implemented on sys-firewall) and to remove sys-firewall-no-lan and sys-firewall-only-lan. Mostly to save system resources- only one firewall qube rather than three.
So:
sys-net
└─sys-firewall
└─vm1 (rules: no lan)
└─vm2 (rules: no lan)
└─vm3 (rules: no lan)
└─vm6 (rules: only lan)
└─vm7 (rules: only lan)
Are there drawbacks to this approach? What further tradeoffs might advise one approach vs the other?
Using two child firewall makes it easy to switch qubes between the options -
just reassign netvm. Personally I find this approach somewhat cleaner.
If you have a single firewall then you have to change the firewall
settings on each qube.
The effect on system resources should be minimal either way, and you
can always use a mirage firewall to make the impact truly minimal.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.