Perhaps someone can help clarify the nature of sys-firewall and other ways that firewalls are implemented with Qubes?
- My understanding of sys-firewall is that it primarily protects other VMs from DMA (Direct Memory Access) attacks that can occur due to the PCI hardware connectivity in sys-net. In other words, without sys-firewall (i.e. connecting AppVMs directly to sys-net), there is a greater risk of leaking information, regardless of whether or not a network firewall was configured inside of sys-net.
There is also very little discussion about modifying network firewall settings with sys-firewall. Conventional firewall configurations seem to be more common in ProxyVMs that are behind sys-firewall. Is it correct to assume that sys-firewall is less of a network firewall per se (i.e. IP filtering/port forwarding) and more of a “memory firewall” (albeit through the vif) …something unique to the world of virtual machines?
When using a ProxyVM to set up a VPN service, I have seen several “how to” guides recommend configuring a network firewall within the ProxyVM. In terms of performance and security, how does that differ from configuring the same firewall settings in sys-firewall (or another intermediary VM)?
I seem to recall someone advising the use of a secondary “firewall” VM between a standard (non-whonix) ProxyVM or (non-whonix) AppVM when connecting to sys-whonix. I don’t remember the rationale, but it had to do with the lack of hardening in non-whonix workstation VMs connected to whonix gateways. Let’s call it app-firegate for reference. So for example:
For a non-whonix VM connected to a whonix gateway:
Debian AppVM → app-firegate → sys-whonix → sys-firewall → sys-net
or for a non-whonix AppVM connected to Tor over VPN:
Debian AppVM → Debian ProxyVM (VPN) → app-firegate → sys-whonix → sys-firewall → sys-net
In the above configurations, does app-firegate offer any practical or theoretical security/privacy benefit or does it just waste system resources?
- Typically a network consists of a modem and router. What are the risks/differences of using a standard router (with a basic firewall configured) prior to connecting to a Qubes PC compared to connecting a modem directly to a Qubes PC? Is it possible to have the same basic level of privacy/security if network VMs are properly configured to account for a lack of a physical router in the network?
Similarly, are there potential security benefits of running something like pfSense in a VM - (before, after or within sys-firewall), even with a physical router in the local network)? Kinda like the virtual equivalent of a hardware firewall added to a network.