Chaining sys-firewalls vs duplicating firewalling rules on many qubes

Euwiiwueir · May 9, 2024, 7:24pm

I’ve been using a netvm setup like this:

sys-net
└─sys-firewall
  └─sys-firewall-no-lan
    └─vm1
    └─vm2
    └─vm3
  └─sys-firewall-only-lan
    └─vm4
    └─vm5

Such that:

sys-firewall-no-lan has rules to drop packets to 192.168.x.0/24
sys-firewall-only-lan has rules to drop packets except to 192.168.x.0/24

This seemed like a clean way to do what I want, and it works. I’m wondering though if it might be better to just apply the firewalling rules on vm1, vm2, etc. duplicatively (implemented on sys-firewall) and to remove sys-firewall-no-lan and sys-firewall-only-lan. Mostly to save system resources- only one firewall qube rather than three.

So:

sys-net
└─sys-firewall
  └─vm1 (rules: no lan)
  └─vm2 (rules: no lan)
  └─vm3 (rules: no lan)
  └─vm6 (rules: only lan)
  └─vm7 (rules: only lan)

Are there drawbacks to this approach? What further tradeoffs might advise one approach vs the other?

apparatus · May 9, 2024, 8:19pm

I’ve created feature request for this:

github.com/QubesOS/qubes-issues

Add support for Qubes firewall profiles/rulesets

opened 08:18PM - 09 May 24 UTC

apparatius

T: enhancement P: default

### The problem you're addressing (if any) It's a common situation where you'…ll have multiple qubes that should have the same firewall rules. For example: - allow local connections and block all other connections - block local connections and allow all other connections Right now we have two options: 1. Set firewall rules for each qube separately. ``` sys-net └─sys-firewall └─vm1 (rules: no lan) └─vm2 (rules: no lan) └─vm3 (rules: no lan) └─vm6 (rules: only lan) └─vm7 (rules: only lan) ``` This way you can have a single sys-firewall to enforce the rules for all qubes. But if you'll have a need to change the firewall rules later, e.g. add another local subnet to the allowed connections, then you'll have to manually edit all the qube's firewall rules to add this new rule change. This is cumbersome. 2. Add second sys-firewall qube that'll be used to set the common firewall rules for all the qubes connected to it. ``` sys-net └─sys-firewall └─sys-firewall-no-lan └─vm1 └─vm2 └─vm3 └─sys-firewall-only-lan └─vm4 └─vm5 ``` This way you'll have two sys-firewall qubes so it'll consume more system resources compared with first option. But this way editing firewall rules will be more convenient. ### The solution you'd like I suggest to add a feature to Qubes firewall so it'll be possible to create profiles/rulesets and use them to to set the qube's firewall rules. E.g. create profile `allow-lan-ruleset` with these rules: ``` NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT 0 accept 192.168.1.0/24 - - - - - - 1 drop - - - - - - - ``` And then select this profile for the qube to use. This way you can edit this profile later and the changes will be propagated to all the qubes automatically. Maybe also consider to not only select the firewall rules profile but also use these rulesets as parts of qube's firewall rules e.g. to be able to set qube firewall rules to be: ``` NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT 0 accept 1.2.3.4/32 udp 12345 - - - - 1 import - - - github-ruleset - - import rules to allow connections to github 2 import - - - allow-lan-ruleset - - import rules to allow connections to LAN 3 drop - - - - - - - ``` ### The value to a user, and who that user might be User can easily and more flexibly manage the qubes firewall rules. Related forum topic: https://forum.qubes-os.org/t/chaining-sys-firewalls-vs-duplicating-firewalling-rules-on-many-qubes/26351 ### Completion criteria checklist (This section is for developer use only. Please do not modify it.)

unman · May 10, 2024, 12:44pm

Using two child firewall makes it easy to switch qubes between the options -
just reassign netvm. Personally I find this approach somewhat cleaner.
If you have a single firewall then you have to change the firewall
settings on each qube.

The effect on system resources should be minimal either way, and you
can always use a mirage firewall to make the impact truly minimal.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.