According to this GitHub issue this guide should probably be reworked / updated.
Specifically:
- the supplied config file may need updating as it has outdated entries at lines 16-19.
- The Python script should probably be ported to Python3 to not require installation of Python1 in “modern” templates.
- A workaround should be found for the lacking update functionality (see linked issue), if possible (or tested on Qubes4.2 to see if the issue exists there).
I don’t really have expertise with any of this, but maybe someone has a more “up-to-date” implementation of this implementation here to share?
I’ve found this, which works on Qubes4.1, but it has the limitation of requiring a separate proxyVM for each AppVM that wants to use this kind of filtering, while the solution in this guide is supposed to only require one proxyVM for multiple AppVMs. Another limitation of the linked alternative is that the proxyVM only starts up once the AppVM has started up fully already, which leads to a longer total startup time, as I have to wait for the AppVM to boot and then the proxyVM to boot, while the method in this guide should make both boot simultaneously, because the proxy is designated as the netvm of the AppVM (or even the firewall qube is used, in which case it’s probably already running).
This guide also doesn’t address the recommendation in the official documentation about having a second firewallVM between the “network service qube” (proxyVM) and the AppVM, though honestly I don’t quite understand why this is necessary. The three points listed there seem to not apply IMO, as “sys-firewall-1” still protects the firewall rules IIUC.