Firewalls & secure network configuration

Perhaps someone can help clarify the nature of sys-firewall and other ways that firewalls are implemented with Qubes?

  1. My understanding of sys-firewall is that it primarily protects other VMs from DMA (Direct Memory Access) attacks that can occur due to the PCI hardware connectivity in sys-net. In other words, without sys-firewall (i.e. connecting AppVMs directly to sys-net), there is a greater risk of leaking information, regardless of whether or not a network firewall was configured inside of sys-net.

There is also very little discussion about modifying network firewall settings with sys-firewall. Conventional firewall configurations seem to be more common in ProxyVMs that are behind sys-firewall. Is it correct to assume that sys-firewall is less of a network firewall per se (i.e. IP filtering/port forwarding) and more of a “memory firewall” (albeit through the vif) …something unique to the world of virtual machines?

  1. When using a ProxyVM to set up a VPN service, I have seen several “how to” guides recommend configuring a network firewall within the ProxyVM. In terms of performance and security, how does that differ from configuring the same firewall settings in sys-firewall (or another intermediary VM)?

  2. I seem to recall someone advising the use of a secondary “firewall” VM between a standard (non-whonix) ProxyVM or (non-whonix) AppVM when connecting to sys-whonix. I don’t remember the rationale, but it had to do with the lack of hardening in non-whonix workstation VMs connected to whonix gateways. Let’s call it app-firegate for reference. So for example:

For a non-whonix VM connected to a whonix gateway:

Debian AppVM → app-firegate → sys-whonix → sys-firewall → sys-net

or for a non-whonix AppVM connected to Tor over VPN:

Debian AppVM → Debian ProxyVM (VPN) → app-firegate → sys-whonix → sys-firewall → sys-net

In the above configurations, does app-firegate offer any practical or theoretical security/privacy benefit or does it just waste system resources?

  1. Typically a network consists of a modem and router. What are the risks/differences of using a standard router (with a basic firewall configured) prior to connecting to a Qubes PC compared to connecting a modem directly to a Qubes PC? Is it possible to have the same basic level of privacy/security if network VMs are properly configured to account for a lack of a physical router in the network?

Similarly, are there potential security benefits of running something like pfSense in a VM - (before, after or within sys-firewall), even with a physical router in the local network)? Kinda like the virtual equivalent of a hardware firewall added to a network.

Perhaps these might be relevent:

1 Like


Yes, quite relevant! Thank you.

Still curious if anyone has thoughts about the viability of virtual firewalls running something like pfSense to further harden a network.

…And the implications of connecting a modem directly to a Qubes PC without a hardware router. Is that viable in a pinch or is it just plain bad to do?

1 Like

Interesting questions! I’ve been thinking about the same things lately. I’d be curious if anyone has more info on the topic

All the best!

1 Like

After I went through my standard ISP issued router logs I was shocked how much was leaking despite running everything through VPN VMs.
Got a dedicated opnsense box after that to really lock-down traffic.
both pfsense and opnsense are quite heavy on resources, especially with suricata intrusion detection enabled. I tried it once in VM but cant remember if I got it even installed. In any case a dedicated hardware firewall is miles better.
Currently experimenting with portmaster VM.

1 Like