I have been reading the Qubes firewall documentation at https://www.qubes-os.org/doc/firewall/, and it has mentioned three ways to configure a firewall in qubes.
- use the “firewall rules” gui for that VM
- edit the firewall.xml file for that VM in dom0
- create a script in /rw
HOWEVER, when i view firewall rules using iptables -L, I see a bunch of rules not listed in the gui or files mentioned above. It appears the firewall rules are being generated from iptables.rules and ip6tables.rules in /etc/qubes/
My questions for you all:
- Am I correct that the default firewall rules are all being stored in iptables.rules and ip6tables.rules?
- To edit a VMs firewall can I just edit the iptables.rules files rather than messing with the gui or dom0 xml file?
- It seems that all my VMs have a configured firewalls. If all traffic eventually passes through sys-firewall isn’t sys-firewall the only VM that needs a configured firewall? Why do my other VMs also have iptables.rules files fully configured?
- Why doesn’t the firewall documentation mention the iptables.rules file at all?
Any help is appreciated!