Chaining sys-firewalls vs duplicating firewalling rules on many qubes

I’ve been using a netvm setup like this:


Such that:

  • sys-firewall-no-lan has rules to drop packets to 192.168.x.0/24
  • sys-firewall-only-lan has rules to drop packets except to 192.168.x.0/24

This seemed like a clean way to do what I want, and it works. I’m wondering though if it might be better to just apply the firewalling rules on vm1, vm2, etc. duplicatively (implemented on sys-firewall) and to remove sys-firewall-no-lan and sys-firewall-only-lan. Mostly to save system resources- only one firewall qube rather than three.


  └─vm1 (rules: no lan)
  └─vm2 (rules: no lan)
  └─vm3 (rules: no lan)
  └─vm6 (rules: only lan)
  └─vm7 (rules: only lan)

Are there drawbacks to this approach? What further tradeoffs might advise one approach vs the other?

I’ve created feature request for this:

1 Like

Using two child firewall makes it easy to switch qubes between the options -
just reassign netvm. Personally I find this approach somewhat cleaner.
If you have a single firewall then you have to change the firewall
settings on each qube.

The effect on system resources should be minimal either way, and you
can always use a mirage firewall to make the impact truly minimal.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

1 Like