Yeah, I know that. Hence I wrote “Not sure, how this could be beneficial for consistency”. Whether it is a good idea to have sys-net as upstream to enforce firewall rules is a different topic. It wouldn’t help with OP issue of firewall rules not been consistently applied.
Well, it might. We don’t know and can’t reproduce how your system got into the state it did, but having a firewall qube that just does one thing removes some potential causes.
Just about configuring them, to be clear - nft should be solid once the rules are set up. Maybe systemd should be watching qubes-firewall.
If I can reproduce this in any way, I surely will create a GitHub issue, so core developers can judge, if this is something to be fixed or works as intended.
All right, thanks to both of you!
2 Likes
Should be easy to confirm: kill the qubes-firewall process on the target netvm, try adding a new rule with qvm-firewall on dom0, verify the rule isn’t present with nft list ruleset on the netvm.