Does there exist a list of ports that must always be open for the normal functioning of Qubes OS? i.e. the list of ports at the fresh installation of Qubes OS. And which states (bidirectional / only incoming / only outcoming).
The reason is that I want to harden my firewall rules by “reject first” policy. And I do not know which ports to leave open.
By default, no ports are open inbound, but established return traffic is
allowed. (This applies at Qubes and individual qube level.)
By default there are no restrictions on outbound traffic from any qube.
Qubes will function properly entirely offline, except for (obviously)
time set and checks for software updates, which should be disabled in
this case.
Let’s assume a classic scheme: sys-net -> sys-firewall -> workvm.
I guess there are no firewall-related scripts in sys-net.
About sys-firewall, I would expect the firewall scripts to be located in /rw/config/qubes-firewall-user-script , but it is empty. Where is the iptables script that controlls the traffic the way you say?
Let’s assume a classic scheme: sys-net → sys-firewall → workvm.
I guess there are no firewall-related scripts in sys-net.
No - just check and you will see that there are such rules.
About sys-firewall, I would expect the firewall scripts to be located in /rw/config/qubes-firewall-user-script , but it is empty. Where is the iptables script that controlls the traffic the way you say?
That script runs only when sys-firewall starts up (despite suggestions
to the contrary.)
Look in /etc/qubes/iptables.rules , and compare that with your own
examination from iptables/nft