It’s already implemented:
Firewall | Qubes OS
1 Like
@tzwcfq is right. That’s all there in the “Firewall” tab in the Qube Settings GUI window. I’ve used it for internet-facing VMs (I didn’t want remote users printing a skull and bones on my printers at 3am to scare me, etc.), and it works like a charm.
Or are you saying:
- the “Firewall” tab isn’t easy enough to use?
- If so, what are your suggestions?
- you’d like to see an option in the first boot?
- If so, how would that work? What did you have in mind?
At the moment, it’s a cinch to understand if you’ve used iptables in the terminal, but you’d probably be a bit lost if you haven’t, so I can sort of see where you’re coming from 
1 Like
I never claimed there isn’t a firewall tab, except:
a. The firewall tab allow only the most basic rules, and for anything else the user has to use the terminal. Rules such as “only allowed internet”, or “NOT allowed subnet x.x.x.x” require terminal. a more sophisticated rule such as “only allow these internet URL’s” isn’t even an option, and I already posted in the past that i’d love to see OS built-in application-specific firewall but that is out of the scope of this thread.
b. I would like to see an option in first boot, right after OS install with suggestions to the user, such as “This is the “Untrusted” VM so we suggest that it only have network access to the internet but not your LAN. If you tell us what IP’s or subnets are part of your LAN we can add a rule to block this AppVM from accessing it.” or “Which access would you like to give this new AppVM? [options: Internet, specific IP’s, specific subnets, everything (not recommended)] we will obviously block access to anything not specifically permitted.”
I never said you did. It’s all good
I agree 100% with what you’re saying. It would be nice to have an “Advanced…” button or tab that allows you to get this level of functionality.
A couple of pre-defined configs presented to the user (most likely based on most common firewall functions), but with the option to customise for those that wish to…
I really like this idea. Not just for first boot, but also for the “Create Qubes VM” gui app. Would be a really good addition.
Yeah, my bad. I could have worded this a bit better. I meant that I can see where you’re coming form in terms of a user experience. 
I don’t know you did that, it seems to me it can only be used to allow access to specific hosts. It’s basically an outbound allow list with a default drop rule.
I always end up having to use qvm-firewall in dom0 to configure the vm firewall, the tools are there to do it, but it would be nice with a UI where you manage firewall rules in one place.
I just had a thought.
I was reading through “Intrustion detectors in dom0”, and had an idea.
A watchdog that monitors all VMs for certain commands, file types, actions, etc., and then alerts the user “Should you really be doing this in this VM? Wouldn’t it be better in <VM-name>? Would you still like to proceed?”
It might help mitigate cross-contamination of AppVMs (for example, just using whatever web browser is currently open and on-screen), and prevent people from “self-pwning” from complacency. I could see this being particularly beneficial for new users to Qubes OS (but potentially infuriating for experienced users, though).
I haven’t thought it through fully, but I thought I’d just throw it out there…
Ye, BTRFS it’s great idea for default
2 Likes
Second this. I miss the pre-configured i3 experience I had on Manjaro. It would be nice if the installer gave users a number of DE options. Gnome, Xfce, KDE, and i3 should cover 99% of people.
2 Likes
How about introducing minimal VM as part of the initial install of Qubes?
- minimal-VM by default for the Net/FW/USB AppVM. These VM will (probably) never have the need for everything that currently come preinstalled on a regular VM.
- the option to install minimal VM via setup GUI (instead of later on via command-line)
- The option to add various minimal VM which are pre-configured to a specific task, such as media watching, or internet browsing (such as using a separate VM for accessing one’s bank account).
Qubes is all about compartmentalization - I say let’s help the users realize the potential in that.
My knowledge regarding the differences between minimal and regular VM is rather limited, but I know for sure that they take considerably less space in backups 
2 Likes
I like that idea, coupled with a quick tutorial about what they’re used for.
“Clone me, and use me as a starting point.”
But I can definitely see new users not understanding why they have to install all this extra stuff after they just installed Qubes OS, particularly if they’re not “techy”…
“Didn’t I just install Qubes? Why do I have to install more stuff? Why can’t I just use my computer? This is dumb…”
Either we include it as part of the installation process as some sort of additional packages (which I’m not sure is possible) or we provide it as part of a “First time assistance”.
I obviously want to see Qubes evolve in a direction that will benefit myself as someone who use it as a daily driver, but I would also like it to be helpful and approachable to the “less techy”. Dev’s don’t have unlimited time and have to choose.
So what I proposed is beneficial to experienced users (help save time) and makes Qubes more approachable to new users (makes dealing with AppVMs less complicated). Anyone who will think “this is dumb” is more then welcome to click “skip” and move on.
As someone here wrote before - you don’t TRY Qubes-OS, either you commit or you don’t. In general, I believe users who made the decision to use Qubes are more open minded and committed, and will appreciate this option. Anyone who want to “just use my computer” could have bought a computer pre-installed with any of the more popular OS’s
It’s possible. It would increase the size of the installer ISO, though. But it’s possible…
Plus, I have a feeling that a Qubes OS net-install ISO might turn some people off (or maybe I’m wrong?).
I guess… But we don’t really want to scare anyone away without a valid reason, either…
I mostly agree, and so suggested that this will be an optional “First time assistance” that will help add various AppVM’s. It would have “skip” botton, and will be accessible from the menu for anyone who wants to make use of it later. And since it runs after full install, it is essentially a few scripts that download and configure templates - nothing complicated to code.
However, I would still very much want Qubes to come out-of-the-box with NET/FW/USB minimal templates instead of the full ones they get now.
2 Likes
Although I certainly understand the complaint (one of the first things I wondered is why EVERY qube had keypass on it, rather than just the vault qube–and of course it’s because all of the default qubes use the same template, so that template needs to have everything on it), the problem really is space.
A full template is something like 5GB on disk. Minimals are 1.5 GB or so.
Just to handle my networking, I need four distinct qubes, with in essence four templates (one per each) if I go the minimal route. (I have separated my wifi from my ethernet.) Each of these is slightly different from the others (OK, without checking it’s possible the two firewall templates are essentially alike). So unless you want the install script to separately set up these templates, you’ve got to bundle them all together in the ISO.
Similarly, a Vault template, if it were to be the only one that has keepass on it, would add a lot to the ISO…or Setup would have to clone a no-keepass-installed VM and install keepass on it. And Setup already takes a long time [it doesn’t help that the side-to-side motion in the progress indicator slows down and freezes, making you think perhaps it “hung” during install]. Cloning is a lengthy operation, and renaming is just as bad (because it’s really a clone-and-delete-the-original).
In an ideal world the default templates would only contain what makes sense in their domains, but they had to go with just having the one template and having the AppVMs configured a bit differently. Actually, to the geekish, that’s a demonstration of the flexibility of the paradigm.
2 Likes
I don’t know which hardware you use, but on my SSD template cloning takes seconds.
I believe that providing the minimal templates on ISO is the way to go in order to have minimal template for NET/FW/USB from the start.
As for having templates tailor-made for specific tasks
a. that’s for the user to choose if they’re willing to spend the time and wait. (I think it’s worth it)
b. assuming there’s already a minimal template on the OS, it’s just a matter of getting the relevant packages from the repository. it takes time and bandwidth but instead of doing it from the command-line, if the user will have a nice “menu” to choose from (with the menu item running “sudo dnf install keepass” for them) then it makes it much more approachable for the less techy. I agree that it’ll take time depending on the hardware and bandwidth, but people are waiting much much longer to download/install a computer game. if they think it’s worth their time - they’ll wait for it.
If we must, why not having that “one template” a minimal, and have scripts install whatever packages are needed based on “what makes sense in their domain”?
1 Like
The packages will have to be stored on the installer image and slipstreamed
in to the (cloned) template(s).
Don’t know if this is possible, but include kernel-latest in the ISO so users have option to install with kernel-latest on newer hardware. And if installer cannot start, try again starting with kernel-latest.
2 Likes
I’m not sure if you mean that this is a problem or just the way to achieve that goal, but considering size, isn’t the size of the minimal template + packages the same as the full template which includes the same packages?
I’d go one further and have an option to sync with the Qubes repo at install, and download any extra packages you may require. This would allow you to choose your templates and extra packages, if you wanted to.
No, I don’t think anyone in the “fugitive” category would be doing a net-install, but it sounds like there would be enough people who would consider this useful…
And go one step further and allow the whole thing to be automated, like the Debian installer. Great for enterprise adoption.
1 Like
There is no sys-net and firewall at this point, so you will expose your vulnerable dom0 to the Internet. Are you sure you want this?