[qubes-users] Safely set up a Qube to connect to only one IP address on the Internet

Singer · July 12, 2021, 11:02am

Dear Qubes community,

i am interested in your ideas on how you would set up a Qube as secure as possible to connect to a single ordinary internet site (not a VPN network) accessed directly via its IP address.

My ideas are:

1) Edit the Qube's firewall via dom0 as follows:

$dom0: qvm-firewall NAME-OF-QUBE del --rule-no 0
$dom0: qvm-firewall NAME-OF-QUBE add --before 0 drop
$dom0: qvm-firewall NAME-OF-QUBE add --before 0 accept 127.127.127.127/32 proto=tcp 443

2) Go into the dom0-Qube settings and turn on the disable-dns-server service.

With these two settings, there should really be no DNS traffic anymore, right?

What else would you do?

Best wishes
Michael Singer

mailinglist_bot · July 13, 2021, 4:57pm

Michael Singer:

Dear Qubes community,

i am interested in your ideas on how you would set up a Qube as secure as possible to connect to a single ordinary internet site (not a VPN network) accessed directly via its IP address.

What else would you do?

Possibly double-check and further restrict iptables & nftables on the qube itself, but could be an annoyance to maintain.

unman · July 14, 2021, 11:40am

These are good.
Disable all unnecessary services in the qube - that means almost all of
them.
Change the nft/iptables configuration on the qube itself - note that you
can do this in `/rw/config/rc.local` but that is processed after the
network comes up.
You want to allow only outbound lo and to your target.
Remove/overwrite /etc/resolv.conf

You can also create an alias in /etc/hosts to avoid typing out the full
IP address.