Default firewall rules

rjrizzuto · January 24, 2024, 5:46pm

I was wondering if there is a way to set up default firewall rules. It seems as if the default is full access.

I have rules in my template vm that restrict LAN access. Ideally I’d like to make those the default for newly created qubes.

solene · January 25, 2024, 8:49am

The simplest method would be to add another sys-firewall (choose a better name maybe) behind sys-firewall, make it providing network, and in dom0 use the command qvm-firewall to put the restrictions in that new qube.

Assign AppVM that new NetVM, it will work. Instead of duplicating the rules on each qube, this applies the filtering in the network provider, so all the qubes behind are reliably affected by the rules.

rjrizzuto · January 25, 2024, 12:01pm

Let’s call the new qube sys-nolan since it restricts traffic from the lan. Now, a new qube would use sys-nolan, but that would mean network traffic from a new qube goes qube->sys-nolan->sys-firefall->sys-net. I don’t love having the extra overhead or the additional vm running.

I wish I could default to using sys-firewall with the firewall blocking all traffic till I explicitly configure something different. From a security perspective, default deny is a good policy.

DVM · January 25, 2024, 12:28pm

Since the Qubes firewall mechanism applies the rules to the netvm and not to the qube itself, this is the only correct way to have them on sys-firewall. If you don’t want this new qube in the chain, you can still put them on sys-firewall, but they will be applied on sys-net, which is not recommended.
Something like that would work:

qvm-firewall sys-firewall add --before 0 dsthost=192.168.0.0/16 comment="Drop LAN traffic" drop

unman · January 25, 2024, 12:47pm

There is nothing stopping you from doing this.
Create a new chain in the qubes-firewall table or a new table with
higher priority , and block all forwarded traffic.
If you want to you can block all output traffic from sys-firewall also.
qvm-firewall leverages standard nftables, so you can turn that to your
own purposes.

rjrizzuto · January 25, 2024, 2:07pm

I think I should be clearer. When I create a new qube using sys-firewall, I see that it is set to “allow all outgoing connections” in the firewall rules tab. I wish I could specify that the default for new qubes using sys-firewall was “limit outgoing connections to” with an empty list. I would prefer no access till I configure specific rules.

unman · January 25, 2024, 2:54pm

Clearer is good. I was still focussed on the original blocking of LAN
traffic.
You know that by default the Qubes firewall allows dns and icmp, even
with an empty list. Is this what you want or do you really want to
block all outbound traffic?

rjrizzuto · January 25, 2024, 3:13pm

I looked at the firewall rules for a new qube that I set to “limit outgoing connections to” using qvm-firewall, and I do see explicit allows for icmp and dns, followed by a drop for everything else. I would be fine if I could configure that as the default for new qubes using sys-firewall. I’d then only enable what I wanted to allow access to. Local LAN, the entire internet, both, a specific IP address, etc.