I’m still learning Qubes, so please forgive me if I misunderstood some concepts.
The idea is to use bridging instead of routing (kind of). I know that routing is preferred to bridging to prevent layer2 discovery on dom0, but what do you think about those mitigations, are they good enough ? Also, my method kind of prevents those kind of escapes.
To explain my idea, I’ll show how I did it in my Qubes-like setup, I’m too noob at Qubes to compare.
Note: below, when I say “client”, I mean any domain that needs to access network ressources, so dom0 or any domU.
My router/firewall is a domU, protecting all other domains, including dom0. It has all network cards (NIC) passthrough’ed from dom0, like in Qubes.
- On dom0, I create a bridge per client. So the bridges have no linked NIC. No IP either (except the one for dom0 as a client).
- In the firewall, I create as many VIFs that I have clients.
- all the domUs are created with a VIF on their corresponding bridge.
Example: bridge brdom1
hosts two VIFs, fwdom1
and nicdom1
.
So if dom1 wants to access dom2, it’s done like :
nicdom1 -> ( fwdom1 - fwdom2 ) -> nicdom2
# the parenthesis represent the firewall domain
The advantage of this method is config centralization, you don’t need to have an additional firewall on the domains (although you can), as they’re alone in their network segment, and cannot escape from the bridge.
If not mistaken, my firewall does the job of sys-net and sys-fw. But couldn’t this setup be slightly adapted to Qubes ? Of course, any distro would work as a firewall, I’m more talking about the principle behind.
Any feedback welcome !
Drawback to my setup
Because “max_vifs=8” for a Xen domU, if there’s more clients than that, it needs additional setup :
- either setting VLANs on both the domU and firewall VIFs
- or chaining several firewalls