How is the QubesOS firewall implemented?

Though it seems the original question was answered, here are some bullet points from what I have learned over time regarding implementation details:

  1. The qubes firewall service is enabled by default in NetVMs and ProxyVMs. It can be disabled by adding the qubes-firewall service to the Services, but leaving the box unchecked.
  • As mentioned previously, this service is explicitly disabled in sys-whonix, and replaced by the Whonix Firewall.
  • The Whonix Firewall does not have the ability to apply host-based blocking rules, without manual configuration on the gateway qube itself.
  1. The qubes-firewall application is a service that is run at boot of the Net/ProxyVM (“FirewallVM”). info: systemctl status qubes-firewall

  2. qubes-firewall sets up initial rules using nftables (if available) or iptables.

    • On Debian, iptables uses an nftables backend, so using the iptables or nft commands do the same thing.
    • On Fedora, there is divergence - see Issue #5031. qubes-firewall ends up using nft to setup its rules, but those rules will not be seen when running iptables commands. Therefore, usage of nft is required to inspect the rules.
  3. When a qube is attached to the FirewallVM, qubes-firewall within the FirewallVM is notified, and it sets up the appropriate rules for the attached qube using nft or iptables which at minimum enables IP forwarding. If there are Firewall rules for the qube in question, additional rulesets are added to the appropriate netfilter forwarding chain within the FirewallVM.

  4. If hostnames are used for an attached qube’s firewall rules, the FirewallVM must succeed in resolving the hostname, otherwise, ALL traffic to the attached qube will be blocked and appear to not have internet access. I hear this issue commonly when people have involved “VPN” qubes and have extra firewall rules.

@anon, I believe what @unman is referring to is that any attached qube to the FirewallVM which is then attached to sys-whonix will appear to have the same IP address as the FirewallVM. This could result in Tor building a single circuit that will be shared by the attached qubes. This would then give both qubes the same exit IP, which may be undesired if isolation between activities in the attached qubes is sought.

7 Likes