Introduction
This setup is only useful for people who want to block non-VPN / non-Tor traffic.
By default, Qubes OS checks for updates of qube’s templates using running qubes themselves generating traffic through their current netvm. To some people, this can be seen as a privacy issue because queries Qubes OS’s packages repository, which immediately flag the user as a Qubes OS user.
Even if you use sys-whonix or a VPN qube for all your qubes, there are 3 qubes that could leak network because they are before the VPN/Tor in the netvm chain:
Explanations
The idea is to block all traffic generated by sys-usb, sys-firewall and sys-net, but still allow them to route traffic for Qubes so network still work. Although sys-usb should not have network, it is actually configure as a “providing network” qube for when you plug in an USB network adapter.
This is a software solution, this can not guarantee against leaks after an update or a misconfiguration. For a more leak-proof solution, the user should use a hardware gateway between Qubes OS and the real network to be block any unwanted traffic leak.
Disabling update check for these qubes may be enough. But an extra security is to block all traffic.
Setup
Disable update check
Run the commands in a terminal from dom0:
qvm-service sys-firewall qubes-update-check off
qvm-service sys-net qubes-update-check off
qvm-service sys-usb qubes-update-check off
qvm-service default-dvm qubes-update-check off # just in case
Disable network done by sys-usb / sys-firewall / sys-net
Add this to the file /rw/config/rc.local
in the template named default-dvm
:
if [ "$(qubesdb-read /name)" = "sys-firewall" ] || [ "$(qubesdb-read /name)" = "sys-net" ] || [ "$(qubesdb-read /name)" = "sys-usb" ]
then
sudo nft add chain ip qubes output '{type filter hook output priority 0; policy drop; }'
sudo nft add chain ip6 qubes output '{type filter hook output priority 0; policy drop; }'
fi
Restart the qubes.
sys-net is not a disposable qube
If your sys-net is not disposable, apply the same instructions as explained for default-dvm
but in the qube sys-net
.
Warning
- this has not been tested extensively, this may lack leakage fixes (if any please report)
- this might break DNS for qubes using sys-firewall/sys-usb/sys-net as the netvm
- you need to configure the Update proxy in “Qubes Global Config” in “Updates” tab to a qube that is not sys-firewall/sys-usb/sys-net:
- Dom0 update proxy
- Default update proxy