Hello,
Just started using Qubes OS, please forgive me if this is a stupid question. Release is 4.1.0-rc2 (maybe rc3 already, used Qubes update).
At the Initial setup screen I chose to have sys-usb created (disposable option). When I view the settings for it in Qube Manager, net qube is set to “(none) (current)”. In the advanced tab, “Provides network” is enabled. What does that mean? In the firewall tab it says that “This qube has direct network access”. Why this message? Shouldn’t the default sys-usb have no network access? In the firewall settings of the “vault” qube, which also has no net qube set, the firewall tab message says that the qube has no network access.
Also, in the basic tab of the sys-usb qube there’s a warning about disposables based on sys-usb having potential network access since the disposable template for sys-usb is fedora-34-dvm, and that has sys-firewall for its net qube. Is there a reason to create a disposable based on sys-usb? Is this warning somehow related to the “Provides network” setting in advanced tab and the message in firewall tab? I would like sys-usb to work completely offline.
This is selected by default to support users who may be using a USB-connected network device (e.g. wifi or mobile wan).
Yes, I thought it could be because of wifi usb adapters. Is it safe to uncheck “provides network” if I’m not going to use any? Should the message in firewall tab worry me?
- provides_network
Should this VM provide network to other VMs. Setting this property to True will allow to set this VM as netvm to other VMs.
Yes, it’s safe to uncheck “provides network”. If you ever decide to use a USB ethernet dongle or WiFi adapter, you can always check it again.
What message in the firewall tab? Are they red letters that say “This qube has no net qube. It will not have any network access anyway.”? That refers to the back end of sys-usb. You can configure that in the basic tab with the “net qube” setting. “Provides network” refers to front end connectivity.
If sys-usb is not networked, “provides network” can be turned off and the back end net qube can be set to ‘none’ and you can ignore the firewall warning.
Yes, the message in red letters in the firewall tab initially read: “This qube has direct network access. Therefore, Qubes firewall settings cannot be used. Configure other qubes’ network access in their network settings or in a dedicated firewall qube.” After disabling “Provides network”, it now says “This qube has no net qube. It will not have any network access anyway.”
By front end connectivity, do you mean qubes which are based on sys-usb, like sys-usb is based on the default disposable template (fedora-34-dvm in my case). fedora-34-dvm has sys-firewall for its net qube, is that the reason for the caution message (yellow triangle with an exclamation mark) in the basic tab, next to the net qube selection?
The sys-usb does not connect to the network for browsing the web; However, you can went to the qube setting to connect the network to browse the web.
No, it has nothing to do with templates. By “front end”, I mean the qubes that would use sys-usb as a network qube to connect to the web. For instance, sys-firewall is the front end of sys-net (it uses sys-net to reach toward the internet) and sys-net is the back end of sys-firewall. Just think of back end as “the internet/network side” and front end as the “client or browser side”.
To configure a front end qube, you choose a back end netVM in the basic tab of the settings. To configure a back end qube, you select “provides network” in the advanced tab of settings (i.e. you make it available to act as a back end for another VM). Those respective settings need to be configured for every pair of network connected qubes.
why? it very dangerous for security
Let me rephrase this:
If you went to qubes setting and connecting to the network for the dom0, there is a chance to disconnect some devices while using one of the qubes.
#debunked
It’s not possible to do that.
Ok, thanks for the clarification. So similar to a server - client?
But why the message in the firewall tab says “This qube has direct network access. Therefore, Qubes firewall settings cannot be used. Configure other qubes’ network access in their network settings or in a dedicated firewall qube.” when the net qube has been set to none (haven’t touched the default). When “provides network” is disabled, it changes to “This qube has no net qube. It will not have any network access anyway.” Does this message not refer to sys-usb itself?
Yes.
But why the message in the firewall tab says “This qube has direct network access. Therefore, Qubes firewall settings cannot be used. Configure other qubes’ network access in their network settings or in a dedicated firewall qube.” when the net qube has been set to none (haven’t touched the default).
Because it doesn’t use another qube to access the network. The access is “direct”. That message appears when you have “provides network” checked and no netVM selected. If provides network is not checked and no netVM is selected, it will say “This qube has no net qube. It will not have any network access anyway.”
To clarify, those messages only appear in the firewall tab when no netVM is selected. If no netVM is selected, it has no way to access a network, unless there is direct access via wifi, ethernet or usb adapter. In that case, it should have “provides network” selected. If provides network is not selected, it is assumed that the qube needs another qube to access a network.
Hope that makes sense. Not sure there is a better way to say it. 
Welcome to the forum. 
I think Robertelite is a spam account.
B
Oh the fool I am. 