Little help on firewall ports

Hello,

Does there exist a list of ports that must always be open for the normal functioning of Qubes OS? i.e. the list of ports at the fresh installation of Qubes OS. And which states (bidirectional / only incoming / only outcoming).

The reason is that I want to harden my firewall rules by “reject first” policy. And I do not know which ports to leave open.

Thank you.

By default, no ports are open inbound, but established return traffic is
allowed. (This applies at Qubes and individual qube level.)
By default there are no restrictions on outbound traffic from any qube.
Qubes will function properly entirely offline, except for (obviously)
time set and checks for software updates, which should be disabled in
this case.

1 Like

Thank you for your answer.

Let’s assume a classic scheme: sys-net -> sys-firewall -> workvm.

I guess there are no firewall-related scripts in sys-net.

About sys-firewall, I would expect the firewall scripts to be located in /rw/config/qubes-firewall-user-script , but it is empty. Where is the iptables script that controlls the traffic the way you say?

Thank you for your answer.

Let’s assume a classic scheme: sys-net -> sys-firewall -> workvm.

I guess there are no firewall-related scripts in sys-net.

No - just check and you will see that there are such rules.

About sys-firewall, I would expect the firewall scripts to be located in /rw/config/qubes-firewall-user-script , but it is empty. Where is the iptables script that controlls the traffic the way you say?

That script runs only when sys-firewall starts up (despite suggestions
to the contrary.)
Look in /etc/qubes/iptables.rules , and compare that with your own
examination from iptables/nft

1 Like

Thank you for your answer. Final clarifying questions:

  1. The networking IN and OUT is controlled by the same firewall scripts? I think it is, just want to double check with you.
  2. in every vm, there are by default only two firewall scripts (iptables.rules and qubes-firewall-user-script) that control the networking?
  3. the firewall scripts startup order is that first launches iptables.rules, then qubes-firewall-user-script?
  1. Yes, but you can add from /rw/config/rc.local (be careful, because
    this is triggered after the network is up)
  2. No - in most qubes, there is only one - qubes-firewall-user-script
    is only triggered in netvms that provide a firewall service.
  3. Yes. (see 2)
1 Like