(IIRC quoting in replying via e-mail didn’t work on the forum, but it may be fixed by now, idk.)
I notice that “>” prefixed lines appear indented in the forum, so it seems to work fine. I use that when I reply by email.
- Assuming the doc network infrastructure Qubes OS uses nft to dynamically create rules for [client qubes] inside sys-firewall-2. If you don’t have sys-firewall-2 it’ll use the [network service qube] and so on.
If that is to be documented, it should come with a reminder that it applies only if the upstream qube (be that sys-firewall-2 or the [network service qube]) has qubes-core-agent-networking installed.
Qubes firewall rules for the [network service qube] are implemented by Qubes OS inside sys-firewall-1 (= the next downstream/upstream qube from [network service qube] perspective).
I suppose you mean the rules introduced through [network service qube]'s Settings tab (or through qvm-firewall). As shown in both guides above, we cannot possibly avoid using firewall rules in the [network service qube] itself. Or can we?
- If [network service qube] is e.g. used for VPN […]
Currently, I am looking for a way to restrict a Whonix-based qube to access only specific hosts(s) through Tor. Is that documented/discussed somewhere? Or can you suggest how to do it?
To avoid off-topic, I am opening another thread for this, and I hope you can comment there:
Qubes 4.2 only uses nft.
Excellent.