I just did a fresh install of Qubes and noticed that by default the update proxy for dom0 is sys-firewall, while for templates it’s sys-net.
What is the reason for this difference?
That is a good question.
The mechanisms are completely different.
Templates use tinyproxy, whereas dom0 use qubes-dom0-update (and
separate qvm-template).
The template proxy is set in /etc/qubes/policy.d/50-config-updates.policy
The dom0 proxy is set using qubes-prefs
Both can be set using the Qubes Global Config GUI.
Can be set to use the same qube, which need not be the defaults - which
is the first thing I do on a fresh install.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Sorry for the late reaction. So which Qubes do you use as an update proxy for both dom0 and Templates?
sys-whonix?
I prefer using sys-whonix as the update proxy for both dom0 and templates. It provides an added layer of anonymity and security during updates. However, I think it ultimately depends on your specific use case and how you want to balance security with performance.
When you have sys-whonix as the update proxy for dom0, and you install software in dom0 or the template, does that also go via sys-whonix then?
Qubes Global Config → Updates → “Dom0 update proxy” set to sys-whonix:
Your dom0 updates using Qubes Update tool and templates downloaded using Qubes Template Manager / qvm-template in dom0 will go through sys-whonix.
Qubes Global Config → Updates → “Default update proxy” set to sys-whonix:
Your template updates using Qubes Update tool will go through sys-whonix.