How to Emulate the Qubes Firewall in a Vanilla Debian Setup with VPN Protection?

Hello, I am planning to transition to a vanilla Debian setup for personal reasons. However, I am concerned that I might lose the firewall settings provided by Qubes, which prevent network attacks from the outside and block all incoming connections.

I was wondering if there is a way to emulate the Qubes firewall settings on a vanilla Debian system. Specifically, I want to ensure that all incoming connections are blocked and that I am protected from network attacks while using a VPN.

If anyone could offer any advice or guidance on this matter, I would greatly appreciate it. Thank you in advance!

Just make sure the qubes-firewall service is enabled:

qvm-service VMNAME qubes-firewall on

You may benefit from reading “what firewalling in Qubes is, and what it is not”: https://groups.google.com/g/qubes-devel/c/niMbDhS_nWI

More info here: Firewall | Qubes OS

I want to emulate Qubes firewall on my Debian setup… Copy the firewall configuration from the firewall VM

What do you mean by “your debian setup”? Can you not just switch the template of the sys-firewall vm?

I bought a new computer and installed Debian on it… however the ports are open by default and incoming connections are not blocked.

I want to implement Qube’s battle tested firewall on my new computer with Debian installed.

Just block all incoming and allow the outgoing ports you need.

I want to implement Qubes battle tested firewall.

This is how you drop all incoming connections with iptables.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT