Though it seems the original question was answered, here are some bullet points from what I have learned over time regarding implementation details:
- The qubes firewall service is enabled by default in NetVMs and ProxyVMs. It can be disabled by adding the
qubes-firewall
service to the Services, but leaving the box unchecked.
- As mentioned previously, this service is explicitly disabled in sys-whonix, and replaced by the Whonix Firewall.
- The Whonix Firewall does not have the ability to apply host-based blocking rules, without manual configuration on the gateway qube itself.
-
The qubes-firewall application is a service that is run at boot of the Net/ProxyVM (“FirewallVM”). info:
systemctl status qubes-firewall
-
qubes-firewall
sets up initial rules using nftables (if available) or iptables.- On Debian, iptables uses an nftables backend, so using the
iptables
ornft
commands do the same thing. - On Fedora, there is divergence - see Issue #5031.
qubes-firewall
ends up usingnft
to setup its rules, but those rules will not be seen when runningiptables
commands. Therefore, usage ofnft
is required to inspect the rules.
- On Debian, iptables uses an nftables backend, so using the
-
When a qube is attached to the FirewallVM,
qubes-firewall
within the FirewallVM is notified, and it sets up the appropriate rules for the attached qube usingnft
oriptables
which at minimum enables IP forwarding. If there are Firewall rules for the qube in question, additional rulesets are added to the appropriate netfilter forwarding chain within the FirewallVM. -
If hostnames are used for an attached qube’s firewall rules, the FirewallVM must succeed in resolving the hostname, otherwise, ALL traffic to the attached qube will be blocked and appear to not have internet access. I hear this issue commonly when people have involved “VPN” qubes and have extra firewall rules.
@anon, I believe what @unman is referring to is that any attached qube to the FirewallVM which is then attached to sys-whonix will appear to have the same IP address as the FirewallVM. This could result in Tor building a single circuit that will be shared by the attached qubes. This would then give both qubes the same exit IP, which may be undesired if isolation between activities in the attached qubes is sought.