If I change sys-firewall template and create new disposable template from it but will keep my sys-firewall as is and just change it’s setting to the new disposable template… will that erase the predefined sys-firewall rules/firewall rules?
Same with sys-net.
I want to change these two but I’m kind of not sure and afraid to brake the system.
You can change the template of a qube, the firewall rules.
Anyway, the firewall rules of a qube are not applied to the qube itself, but in its netvm. You should not add firewall rules to sys-net because it doesn’t have a netvm and shouldn’t be considered trustable. Adding rules for sys-firewall should be avoided for the same reasons as they would happen on sys-net.
If you really want to add some global rules, create another sys-firewall (find a nice name for it) using sys-firewall as a netvm, and use that qube for all your qubes networking.
Sorry, but I didn’t quite get it I think…
Doesn’t sys-firewall have some default firewall rules? And sys-net has some default settings too?
I have these two as disposables and as far as I got it so far they inherit their settings from the disposable template and the template
I do understand that sys-net is not trusted, but why sys-firewall isn’t trusted the same way? After all sys-firewall doesn’t have direct access to the internet
And as for the global rules… is there a doc page or something else where I can learn this? I only found how to apply local rules in here Firewall | Qubes OS
they block everything by default, like every other qubes
sys-firewall is trusted, but adding firewall rules to it, either through the qvm-firewall command on the firewall tab in its configuration, will add the rules in sys-net (to prevent the qube to alter its own rules), but sys-net is not trusted.
I feel so bad annoying you with these questions, but this made it even more complected for me
So I have like almost empty firewall.xml files in the /var/lib/qubes/appvms//firewall.xml and that’s including sys-firewall… I have like one property name “accept” and that’s it… is that suppose to be like that or did I broke it?
How exactly does this work? I don’t really get it…
I didn’t modify it… I just changed the templates…
So I did modify them by changing the templates? Is there a way to revert this or only to reinstall the system?
If you change the template for sys-firewall. the existing firewall
rules will be created and applied as before. You do not need to edit any
files.
The xml file for sys-firewall contains the rules for sys-firewall, not
the rules that sys-firewall enforces. That ruleset is built up from the
firewall rules that fit for qubes attached to sys-firewall.
The Qubes firewall mechanism is not primarily a security device. It’s there to
limit user mistakes.
The default rules are to block all new inbound traffic, and to allow all
outbound traffic. The Qubes firewall GUI operates on the outbound
traffic.
If you want global rules you can create and enforce these using
nftables rules in sys-net, and/or sys-firewall. You will have to make
sure that these rules run past reboots using the mechanisms under /rw
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.