netVM and ClockVM?

Melly21 · January 17, 2022, 2:22am

hello dear qubes community, I am having a question about netVM and ClockVM.
When viewing the global settings, netVM is on sys-firewall, and ClockVM is on sys-net, both by default. Should I leave it like that?

one post about ClockVM that I have read was the following:

I’ve been able to get a quiet Qubes machine by:
Setting ClockVM to ‘None’ in Global Settings. This prevents NTP traffic in the chosen qube.

just as an example. i am thankful for any input about this.

What would happen if I set netVM or ClockVM to sys-whonix?

ppc · January 17, 2022, 2:25am

netvm: network will won’t work at all in default config
clockvm: tor will only work if your clock is correct, which is can be manually set

Melly21 · January 17, 2022, 2:41am

thank you. does it have any advantage to tweak the ClockVM setting (e.g. to sys-whonix)?

ppc · January 17, 2022, 2:46am

no, it better to set to none and manually update the time if it wrong

Melly21 · January 17, 2022, 2:48am

ok, to reduce my data usage, right?
it doesn’t affect my fingerprint if i tweak it to “none” in any way, correct?

ppc · January 17, 2022, 2:56am

this is commonly used to force all traffic to go though tor

afaik, it can only used to identify your timezone, ip, linux or windows, etc

Melly21 · January 17, 2022, 3:05am

afaik, it can only used to identify your timezone, ip, linux or windows, etc

if I tweak it to (none)? or always?

this is commonly used to force all traffic to go though tor

is it not forced over Tor if i leave it on sys-net?

ppc · January 17, 2022, 3:08am

this

yes, actually you can’t force it to go though tor, so people set it to none

Melly21 · January 17, 2022, 3:11am

cool. and netVM, should I leave it on sys-firewall or is there an alternative?

ppc · January 17, 2022, 3:12am

leave it on sys-net, or a custom netvm if you created any

Melly21 · January 17, 2022, 3:13am

this

what i wanted to know: is my fingerprint different if i tweak it to (none) in comparison to someone who left it on default? i don’t wanna increase my fingerprint.

Melly21 · January 17, 2022, 3:13am

leave it on sys-net, or a custom netvm if you created any

why is sys-net more suitable that sys-firewall?

ppc · January 17, 2022, 3:15am

yes,…

ppc · January 17, 2022, 3:16am

let’s assuming netvm is the vm connect directly to network interface
you’ll see why

Melly21 · January 17, 2022, 3:17am

but why is it the default then?
is it critical? if i tweak it, i would increase my fingerprint after all.

ppc · January 17, 2022, 3:22am

too obvious, compartmentalization

unless you want a air-gapped computer, yes

you should randomize your hostname (to DESKTOP-[random character]) as the default one increase fingerprint

Melly21 · January 17, 2022, 3:30am

you should randomize your hostname (to DESKTOP-[random character] ) as the default one increase fingerprint

good point. but the host name is the same unique name for every vm that I use. i want to have separate identities for each of my vms. isn’t that bad then?

ppc · January 17, 2022, 3:33am

only netvm hostname is identifiable outside your computer, internal one is not

Melly21 · January 17, 2022, 3:35am

alright, thank you.

let’s assuming netvm is the vm connect directly to network interface
you’ll see why

tbh i don’t understand why sys-net is better than sys-firewall for netVM. can you explain that rather noob-friendly?

ppc · January 17, 2022, 3:39am

yes, you can attach your network card to sys-firewall, but security is weaken then, so qubes dev add ^[1] sys-net so it have better compartmentalization → better security

i guess ↩︎