FlatPak bypasses Qubes VM firewall

Clone the Debian Template into Flatpak

  1. sudo apt install flatpak
  2. sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

Any Flatpak based VM lets say Test VM

  1. flatpak install flathub org.mozilla.firefox
  2. flatpak run org.mozilla.firefox

Test VM will bypass the rules of Limit Outgoing Connections in the Qubes Manager for Test VM.

If you are a Flatpak user make sure you add Flatseal (it is a MUST)

1 Like

101% sure that you just missed something…
As the firewall rules are running on a firewall VM, not any AppVM can ‘bypass it’.

qube manager → setting of vm → firewall → limit outgoing connection to a blank list. see if the flatpak can still connect to the internet.

can also check the log of the sys-firewall vm.

I am currently running Spotify from a flatpak installation and just yesterday I had troubles updating it because it could not simply work around my firewall rules.

Check your firewall / networking settings. How do you connect the VM(s) to the Internet. Maybe, by accident, you connected the template directly to a net VM instead of a firewall VM?

Without modification, a template should not even be able to install a flatpak, because the software does not use the Qubes update proxy by default. You would need to connect your template to a netVM at first.

Moreover: it can’t be related to flatpack - or any other application, as the firewall just don’t know (and don’t care) what application is initiating the connection.
Firewall rules are based on AppVMs. (as a src IP)

1 Like

Yes, the instructions as posted simply don’t (and cant) produce a
situation where the firewall is circumvented.
So the questions is, what made OP think that the firewall rules were

I tried limit outgoing to a blank list in the Qube setting and Chromium past too. There was an update since the posting which I did not apply yet. I guess the template is taken.

Again, I cant reproduce your issue.
Limiting with a blank list blocks everything except DNS and ICMP.