How to clone firewall settings to another qube?

qubist · August 14, 2025, 5:16pm

Hi,

I figured that firewall settings for qube XYZ are stored in /var/lib/qubes/appvms/XYZ/firewall.xml, so I copy my desired firewal.xml from another qube to the destination - the newly created XYZ qube.

Then, I run qvm-firewall --raw XYZ and it tells me action=accept, i.e. not what the firewall.xml states. I found that rebooting Qubes results in correct qvm-firewall output. I still wonder:

Is there a way to have the correct firewall result without rebooting?

Also, is my overall approach correct, or is there a better way to clone the firewall of one qube into another?

rustybird · August 15, 2025, 9:44am

You could systemctl restart qubesd, followed by qvm-firewall --reload VMNAME if the VM is already running.

But the proper approach would be:

#!/usr/bin/python3

import qubesadmin

app = qubesadmin.Qubes()
src_vm = app.domains["foo"]
dst_vm = app.domains["bar"]

dst_vm.firewall.save_rules(src_vm.firewall.rules)

qubist · August 16, 2025, 5:27pm

Thanks!

I am trying to make this as a part of a bash script. Is there a way to avoid Python?

rustybird · August 17, 2025, 8:31am

qvm-firewall --raw -- "$src_vm" |
qubesd-query --fail -- dom0 admin.vm.firewall.Set "$dst_vm" >/dev/null

solene · August 17, 2025, 9:20am

This doesn’t give guarantees it worked by looking at the exit code I assume?

solene · August 17, 2025, 9:20am

You could make the python script a one liner in your shell script?

rustybird · August 17, 2025, 9:26am

With --fail an admin.vm.firewall.Set API error would result in a non-zero exit code.

This could also be rewritten to ensure that we successfully got the full original ruleset before attempting to clone it:

rules=$(qvm-firewall --raw -- "$src_vm") &&
qubesd-query --fail -- dom0 admin.vm.firewall.Set "$dst_vm" <<<"$rules" >/dev/null

qubist · August 17, 2025, 4:52pm

Great. Thank you!