Qubes OS 4.2 nftables / nft firewall guide

What’s your nft command?

IPv6 is disabled by default, you need to enable it explicitly:

What’s your nft command?

Listed above.
I add the IPv6 address through the firewall tab in the qube settings UI.

I’ve tested this for R4.2 and it works with IPv6-enabled qubes.

IPv6 is disabled by default

I didn’t know that. Thanks.

I still don’t know why (I’m still checking the source code), but everything that is applied to sys-firewall from the GUI/CLI is set to its NetVM in the qubes-firewall table (sys-net in my case).

This is how the firewall works, when you edit a rule for a qube, it’s applied in its netvm so if the qube is compromised the firewall rules can’t be altered.

1 Like

I understand this, but if someone applies rules to sys-firewall, it goes to sys-net, which is more likely to be compromised. So the better way to apply rules, in the case of a VPN setup for example, is to set them on the VPN qube itself and not on sys-firewall I guess?

These Qubes firewall rules can only be applied from dom0.

That depends what you want to restrict, but if you really want to add rules to sys-firewall, you should add another sys-firewall between this qube is sys-net. Having the rules in sys-net is actually bad indeed

1 Like

I know, that’s not what I’m talking about in my previous message. It’s about where to place them using the CLI for example.

Oh, I got it now. Well, the Qubes-way would be to use separate sys-vpn-firewall for this as @solene said.

Well, I’m not sure how I missed that. Thanks for the clarification.

@DVM it is hard to understand what exactly you are doing and why.

To clarify what I do:

I add firewall rules to the actual qube I want to restrict (e.g. “mybank”) through the UI (e.g. “mybank.com”, TCP port 443). That propagates to the netvm used by mybank qube.

Additionally, in case I want to fine tune things, I use qvm-firewall in dom0.

I believe this is “the qubes way”. In case I am wrong, anyone, feel free to hit me with something heavy and point me to the right way of doing things.

I just answered your original question. To find the rule, you need to check the nft ruleset in the NetVM that the qube is currently connected to.

I just answered your original question.

It was about IPv6 and 4.2 (and @apparatus clarified it).

My confusion comes from your further comments about VPN, sys-net etc, which I couldn’t relate to it. I guess they were are separate sub-discussion though, so no worries.

To find the rule, you need to check the nft ruleset in the NetVM that the qube is currently connected to.

Of course.

1 Like

This was about IPv6, but you clearly said that you couldn’t see your rule in nftables. That’s what you asked, and I answered your question.

Quick note that if mybank.com uses only one ip address then this works. If mybank.com uses many ip addresses (like many web sites do (including google)), then you need to set up a proxy to do the filtering (examples: squid, tinyproxy)


Perhaps an even better approach would be to use a combination of DNSCrypt and nftables rules for such use cases. More specifically:

DNSCrypt, besides other benefits, supports flexible block/allow rules. It can be configured to block the resolving of everything except *.mybank.com.

Then, using its output, the IP addresses can be injected into nftables rules based on user’s firewall settings for the qube.

This can probably provide additional protection against leaks through DNS requests (as specialtarget=dns is always allowed). It may require a small per-qube sys-dns though, auto started/stopped with the qube itself (300-400 MiB of RAM, if based on a minimal fedora template).

Currently I am using this setup with a single global sys-dns and a second firewall between it and the qubes. There is another thread about it.

Another thing, which I think we should have, is explicit listing of the currently hidden rules (visible in qvm-firewall only), namely specialtarget=dns, proto=icmp, expire, in the UI settings. It should also be possible for one to manually configure to block/configure those. For example: ping to *.mybank.com only.

As a whole, this UI and qvm-firewall need serious improvement, IMO, as they do not expose the actual flexibility which nft provides. I guess, that’s off-topic though.