I find the default qubes’ firewall ruleset to be awkward at best and a security/privacy risk at worst*. I don’t really feel like arguing about the details and I think I do understand the decision to make the defaults what they are, but I find it really disappointing there doesn’t seem to be an easy way to change them. There are no config files from what I see, the defaults are ‘hardcoded’ (actually just some .sh files) included with qubes-core-agent-linux
So what would be the easiest (laziest?) way to provide my own default firewall rules? I was thinking about hooking some qubes functions if at all possible (on create, on apply settings etc.) and have a custom script call qvm-firewall and do sanity checks. This rubs me the wrong way because I’m playing catch up for one, and I can’t even modify all the rules I want (although this one can be worked around by using qrexec to call iptables directly instead of qvm-firewall) The other way would be having my own version of qubes-core-agent and to make sure it somehow ends up in every guest vm and survives every update etc. Definitely too much work.
So is there a better way in the middle that I’m just not seeing?
* - if you use Qubes to ensure a vm is forced through a vpn so it can’t learn your real IP address, make sure all your sys-nets and sys-firewalls and proxy-vms are configured “correctly” and then run an udp traceroute from the ‘isolated’ vm to your vpn server…