Changing sys-* templates


If I change sys-firewall template and create new disposable template from it but will keep my sys-firewall as is and just change it’s setting to the new disposable template… will that erase the predefined sys-firewall rules/firewall rules?
Same with sys-net.
I want to change these two but I’m kind of not sure and afraid to brake the system.

Please advice!


You can change the template of a qube, the firewall rules.

Anyway, the firewall rules of a qube are not applied to the qube itself, but in its netvm. You should not add firewall rules to sys-net because it doesn’t have a netvm and shouldn’t be considered trustable. Adding rules for sys-firewall should be avoided for the same reasons as they would happen on sys-net.

If you really want to add some global rules, create another sys-firewall (find a nice name for it) using sys-firewall as a netvm, and use that qube for all your qubes networking.

Sorry, but I didn’t quite get it I think…
Doesn’t sys-firewall have some default firewall rules? And sys-net has some default settings too?
I have these two as disposables and as far as I got it so far they inherit their settings from the disposable template and the template
I do understand that sys-net is not trusted, but why sys-firewall isn’t trusted the same way? After all sys-firewall doesn’t have direct access to the internet
And as for the global rules… is there a doc page or something else where I can learn this? I only found how to apply local rules in here Firewall | Qubes OS

they block everything by default, like every other qubes

sys-firewall is trusted, but adding firewall rules to it, either through the qvm-firewall command on the firewall tab in its configuration, will add the rules in sys-net (to prevent the qube to alter its own rules), but sys-net is not trusted.

I feel so bad annoying you with these questions, but this made it even more complected for me :smile:
So I have like almost empty firewall.xml files in the /var/lib/qubes/appvms//firewall.xml and that’s including sys-firewall… I have like one property name “accept” and that’s it… is that suppose to be like that or did I broke it?

How exactly does this work? I don’t really get it…

this is explained in the official documentation about firewalls Firewall | Qubes OS

why did you need to modify this file?

I missed it I guess… gonna look for it again

I didn’t modify it… I just changed the templates…
So I did modify them by changing the templates? Is there a way to revert this or only to reinstall the system?

I think you two are talking at cross purposes.

If you change the template for sys-firewall. the existing firewall
rules will be created and applied as before. You do not need to edit any
The xml file for sys-firewall contains the rules for sys-firewall, not
the rules that sys-firewall enforces. That ruleset is built up from the
firewall rules that fit for qubes attached to sys-firewall.

The Qubes firewall mechanism is not primarily a security device. It’s there to
limit user mistakes.
The default rules are to block all new inbound traffic, and to allow all
traffic. The Qubes firewall GUI operates on the outbound
If you want global rules you can create and enforce these using
nftables rules in sys-net, and/or sys-firewall. You will have to make
sure that these rules run past reboots using the mechanisms under /rw

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.

OK… so the firewall.xml with one property name of “accept” is totally fine right?

Is there a way I can check the combined rules applied somehow? maybe some command?

I actually tried to check for open ports with some websites after I changed the templated of sys-net and sys-firewall… I don’t really know if that’s effective or not but I tried something like Online port scanner: check for open ports on your computer or remotely — and Port Checker - Check Open Ports Online and these showed my ports are closed

Is that because the security mechanism relies on the VM isolation? Or why is it so?