Firewall rules ignored

gatsby · June 11, 2025, 11:49am

hi,

i have a sys-vpn qube set up to which sys-whonix provides networking
in sys-vpn i have mullvad running over wireguard with udp2tcp so it’s compatible with tor

i ran the following in dom0

qvm-firewall sys-vpn reset
qvm-firewall sys-vpn add accept dsthost=1.2.3.4 # (my vpn server's ip)
qvm-firewall sys-vpn del --rule-no 0

however, after disconnecting vpn and running

curl icanhazip.com

i still get my tor exit node ip.
any clue what could be going on?

solene · June 11, 2025, 11:53am

Firewall rules are applied to a qube’s netvm, and sys-whonix does not support holding firewall rules.

Create a qube providing network from the default-dvm template and add it between sys-whonix and sys-vpn, it will hold the firewall rules.

DVM · June 11, 2025, 11:55am

More information here:

gatsby · June 11, 2025, 12:00pm

oh my god solene you are so beautiful i love you <3

solved

gatsby · June 11, 2025, 12:09pm

while you’re here, i’ve another question (although this is quite off topic to this thread)

do you have any clue on why whenever i try making requests on the qubes that sys-vpn provides internet to, nothing goes through EXCEPT for when i (for example on firefox) set my proxy to the one mullvad provides (10.64.0.1)? very odd but i can’t really think of any reason

solene · June 11, 2025, 12:10pm

It sounds like DNS problems to me.

Can you ping 8.8.8.8 but not google.fr ? (pick the domain of your choice)

gatsby · June 11, 2025, 12:10pm

indeed i can

gatsby · June 11, 2025, 12:14pm

how can issues with dns only appear on the qubes that internet is being provided to and not the one which provides it?

unman · June 11, 2025, 1:25pm

If you do this and connect any other qubes to that firewall, then there
is a risk of breaking anonymity, because sys-whonix will see all
traffic as originating from the same IP - that of the firewall. This may
be fine for your threat model. Or not.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

gatsby · June 11, 2025, 5:17pm

is there a workaround to this?

unman · June 12, 2025, 12:42pm

Dont connect two qubes to the same firewall.
Dont interject a firewall.
Dont use Whonix.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

solene · June 12, 2025, 12:56pm

The easy solution IMO would be to have a firewall qube for the vpn qube, and continue to use sys-whonix as a netvm for all other qubes that need to go through tor but do not need firewall rules.

gatsby · June 12, 2025, 3:00pm

just now rereading this, and (excuse my weak knowledge of qubes) i’m not quite sure what you mean

by “that firewall”, are you talking about the qube between sys-whonix and sys-vpn?
also, how does sys-whonix seeing traffic originating from the firewall’s ip risk breaking anonymity? in the case of compromise you mean?

unman · June 15, 2025, 1:41am

yes

Since the firewall masquerades all traffic, the netvms will see all
traffic as originating from the same IP address - this means there is a
risk that streams from different qubes will not be isolated. (Not
obviously a problem for guarding VPN.)

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.