[qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet

Would you let my Qube, which is supposed to connect to only one IP address on
the internet, be based on an extra firewall-vm? Would that more secure?

You could do this: it would have one particular advantage, in that you
could set custom rules in sys-net to restrict access from that
sys-firewall to the specified IP address.

Do you have an example of the command line commands you use to set such custom rules in an ordinary debian or fedora sys-net?

In the Qube settings for the services there is the service
"disable-default-route". I have not found anything about what it does. In my
case, would it be better to leave it on or turn it off?

man qvm-service - this service will remove the default gateway entry. So
a qube would be able to access immediate neighbours but not step beyond.
It's not what you want here.

What are the immediate neighbors of a qube?

Can both a qube using the default route and a qube with the disable-default-route service turned on access its immediate neighbors, or only a qube with the disable-default-route service turned on?

In what situation is it useful for a qube to be able to access its immediate neighbors?

All the best
Michael

>>
>> Would you let my Qube, which is supposed to connect to only one IP address on
>> the internet, be based on an extra firewall-vm? Would that more secure?

> You could do this: it would have one particular advantage, in that you
> could set custom rules in sys-net to restrict access from that
> sys-firewall to the specified IP address.

Do you have an example of the command line commands you use to set such custom rules in an ordinary debian or fedora sys-net?

Qubes uses NAT, so sys-net sees all traffic coming from the IP address
of sys-firewall.
If you new fw has IP - 10.137.0.200
And target is 195.10.223.181

`nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr 195.10.223.181 tcp dport https accept`
`nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop`

Would do it.
Adjust for your case, of course

>> In the Qube settings for the services there is the service
>> "disable-default-route". I have not found anything about what it does. In my
>> case, would it be better to leave it on or turn it off?

> man qvm-service - this service will remove the default gateway entry. So
> a qube would be able to access immediate neighbours but not step beyond.
> It's not what you want here.

What are the immediate neighbors of a qube?

Qubes that are connected - the netvm, or a qube for which *this* is the
netvm.

Can both a qube using the default route and a qube with the disable-default-route service turned on access its immediate neighbors, or only a qube with the disable-default-route service turned on?

You can always access immediate neighbours, but will have to adjust the
default firewall rules.
Look at

In what situation is it useful for a qube to be able to access its immediate neighbors?

Explained on that page: most useful is file exchange with no Qubes
tools installed, but also for testing network code, new pgp or ssh
keys, etc.

On Thu, Jul 17, 2021 at 12:29PM +0700, unman wrote> On Thu, Jul 15, 2021 at 06:07:59PM +0000, Michael Singer wrote:

openBSD in Qubes - Excellent!
You would want something like:
pass out on dc0 proto tcp from 10.137.0.200 to 195.10.223.181 port 443