Configuring the Qubes Firewall


I have been reading the Qubes firewall documentation at, and it has mentioned three ways to configure a firewall in qubes.

  1. use the “firewall rules” gui for that VM
  2. edit the firewall.xml file for that VM in dom0
  3. create a script in /rw

HOWEVER, when i view firewall rules using iptables -L, I see a bunch of rules not listed in the gui or files mentioned above. It appears the firewall rules are being generated from iptables.rules and ip6tables.rules in /etc/qubes/

My questions for you all:

  1. Am I correct that the default firewall rules are all being stored in iptables.rules and ip6tables.rules?
  2. To edit a VMs firewall can I just edit the iptables.rules files rather than messing with the gui or dom0 xml file?
  3. It seems that all my VMs have a configured firewalls. If all traffic eventually passes through sys-firewall isn’t sys-firewall the only VM that needs a configured firewall? Why do my other VMs also have iptables.rules files fully configured?
  4. Why doesn’t the firewall documentation mention the iptables.rules file at all?

Any help is appreciated!

  1. Yes
  2. Because those rules are in /etc they are derived from the template
    for template based qubes. So the answer is NO, unless you use a script
    in /rw or similar.
  3. Qubes supports a far more complex networking structure than you
    Also the default rules limit inbound connections - they do not
    touch outbound - that is where the Qubes firewall comes in to play.
    Think about this question:
    I have a firewall at the perimeter of my network: so why should I run
    firewalls on individual machines?
    3(again). - See 2 above.
1 Like