Firewalls & secure network configuration

Perhaps someone can help clarify the nature of sys-firewall and other ways that firewalls are implemented with Qubes?

  1. My understanding of sys-firewall is that it primarily protects other VMs from DMA (Direct Memory Access) attacks that can occur due to the PCI hardware connectivity in sys-net. In other words, without sys-firewall (i.e. connecting AppVMs directly to sys-net), there is a greater risk of leaking information, regardless of whether or not a network firewall was configured inside of sys-net.

There is also very little discussion about modifying network firewall settings with sys-firewall. Conventional firewall configurations seem to be more common in ProxyVMs that are behind sys-firewall. Is it correct to assume that sys-firewall is less of a network firewall per se (i.e. IP filtering/port forwarding) and more of a “memory firewall” (albeit through the vif) …something unique to the world of virtual machines?

  1. When using a ProxyVM to set up a VPN service, I have seen several “how to” guides recommend configuring a network firewall within the ProxyVM. In terms of performance and security, how does that differ from configuring the same firewall settings in sys-firewall (or another intermediary VM)?

  2. I seem to recall someone advising the use of a secondary “firewall” VM between a standard (non-whonix) ProxyVM or (non-whonix) AppVM when connecting to sys-whonix. I don’t remember the rationale, but it had to do with the lack of hardening in non-whonix workstation VMs connected to whonix gateways. Let’s call it app-firegate for reference. So for example:

For a non-whonix VM connected to a whonix gateway:

Debian AppVM → app-firegate → sys-whonix → sys-firewall → sys-net

or for a non-whonix AppVM connected to Tor over VPN:

Debian AppVM → Debian ProxyVM (VPN) → app-firegate → sys-whonix → sys-firewall → sys-net

In the above configurations, does app-firegate offer any practical or theoretical security/privacy benefit or does it just waste system resources?

  1. Typically a network consists of a modem and router. What are the risks/differences of using a standard router (with a basic firewall configured) prior to connecting to a Qubes PC compared to connecting a modem directly to a Qubes PC? Is it possible to have the same basic level of privacy/security if network VMs are properly configured to account for a lack of a physical router in the network?

Similarly, are there potential security benefits of running something like pfSense in a VM - (before, after or within sys-firewall), even with a physical router in the local network)? Kinda like the virtual equivalent of a hardware firewall added to a network.

Perhaps these might be relevent:



Yes, quite relevant! Thank you.

Still curious if anyone has thoughts about the viability of virtual firewalls running something like pfSense to further harden a network.

…And the implications of connecting a modem directly to a Qubes PC without a hardware router. Is that viable in a pinch or is it just plain bad to do?

1 Like

Interesting questions! I’ve been thinking about the same things lately. I’d be curious if anyone has more info on the topic

All the best!

1 Like

After I went through my standard ISP issued router logs I was shocked how much was leaking despite running everything through VPN VMs.
Got a dedicated opnsense box after that to really lock-down traffic.
both pfsense and opnsense are quite heavy on resources, especially with suricata intrusion detection enabled. I tried it once in VM but cant remember if I got it even installed. In any case a dedicated hardware firewall is miles better.
Currently experimenting with portmaster VM.

1 Like

The fact that much was leaking considering you were running everything thorugh a vpn is concerning. What sort of traffic was leaking? And how much exactly? What could your ISP see?

I know that we are here resurrecting an old thread from the graveyard, but I really don’t understand why people seem to trust their VPN provider more than they trust their ISP. How is your VPN provider any more trustworthy than your ISP? I understand using Tor, Freenet or similar to provide stronger anonymity guarantees, but VPN providers don’t inspire to me any more confidence that the run of the mill ISP. Yes, I could be wrong but I would like a facts based discussion to learn more.

1 Like

In some countries, you can’t trust the government or the ISP, and using a VPN from a provider with a good reputation is safer than using the local ISP.

A VPN provider with good reputation as guaranteed by whom? Call me skeptical or paranoid, but there have been enough cases of VPN providers leaking sensitive information to make me wary…

Let’s say you are a gay man living in parts of the Middle East where being homosexual could get you jailed or killed, would you trust the local ISP more than you would Mullvad or Proton?

I would trust neither. I’d rather route everything through Tor and reduce the chance for a single actor to collect all of the data in a single place (that place being the ISP or the VPN provider). And if you are extra concerned, perhaps something like freenet or .onion sites without access to the general internet would be slightly more anonymous.

Choosing between ISP or VPN provider is just picking your poison, IMO.

If you think any VPN and any ISP anywhere in the world is exactly equal in terms of trustworthiness, then I don’t really know what to say, IMO you are wrong.

But you are right about Tor providing the best anonymity, but it’s also tedious to use as your daily driver.

1 Like

In the majority of countries ISPs are mandated by law to collect and store your information, searches, location data etc. So with an ISP you are pretty much certain to be spied on. With a vpn that has a stric no logs policy, you might get spied, you may not, but given that with your ISP it’s a certainity, the mere fact that you may or may not get spied on while on a vpn is already an improvement.

Also, if your vpn is a provider that has been in the market for a long time, more than a decade in mullvad’s case. There is no evidence of logging for that, considerable, period of time, has received multiple security audits by well known and independent third parties, is open source, whenever LE attempted to get data from such a provider with a court order they got nothing, if it is endorsed and used by people with aggressive threat models, people that would be in prison or worse if the provider was secretely keeping logs, then, in such a case, you will be muuuch better with that vpn than with your run of the mill ISP. TBB is still better than a vpn, but a good vpn is miles ahead of your ISP.

VPNs also provide some security benefits, when using http connections, when on public wifi, etc.

1 Like

Well, while I am concerned about oppressive governments, I’m more concerned with ineptitude and common criminals. The single point of collection that an ISP and a VPN provider creates a higher exposure from my standpoint than an encrypted distributed routing protocol (Tor, freenet, etc.). Anyway, each person performs their own threat modeling and decide which risks they can accept and which they must mitigate, right?

I am sure being a gay could get you killed in every country on Earth, but you probably meant on countries where it is forbidden by law, otherwise the example is pointless as I pointed out. But, let’s say you would want to sell chewing tobacco in EU, since that is forbidden. Would you use VPN or tor, or i2p, or…

The question wasn’t which is best, it’s why would someone trust their VPN more than their ISP.

Yes. sorry. So let’s say you would want to sell chewing tobacco in EU, would you trust more to your ISP or your VPN?

Obviously I would trust my vpn more than my ISP. No contest

So, you would sell?

Tricky question! :slight_smile:

I wouldn’t sell and I wouldn’t trust either