QubesOS Firewall Management + Any Problem with sys-usb, sys-firewall, sys-net Being Disposable?

wilsonb · September 27, 2024, 5:47am

I know it is not a good idea to make sys-whonix disposable, because that would cause the tor state to be lost on every boot, which is bad for privacy.
I know that if sys-net is disposable, I will have to re-enter my Wi-Fi password. This is not a problem for me. Any other issues?
I don’t see any problems with sys-usb, please correct me if I’m wrong.
Now the interesting question. What about sys-firewall? How does it handle the qvm-firewall commands I set in dom0? Are they loaded into sys-firewall once, at each boot, or are they not processed in sys-firewall at all? Would I lose some rules? I am not sure how the QubesOS firewall is processed and for that reason I am also not sure about sys-firewall. Please explain, thanks!

SteveC · September 27, 2024, 4:51pm

sys-net: Strictly speaking if you’re willing to store your WiFi password on the disposable template, you won’t have to re-enter it every time.

Another possibility would be to keep it on dom0 and send it to the disposable on startup; you could even encrypt that connection. That avoids it being stored in the clear on your sys-net (unless the networking software itself does so). This would involve writing qrexec services and so forth, but is doable.

apparatus · September 27, 2024, 5:29pm

The rules are stored in dom0 and are accessible in the firewall qubes from dom0 using QubesDB.

wilsonb · September 27, 2024, 8:48pm

I am a simple man, I keep my Wi-Fi passwords in my vault KeePassXC and copy it when I need it. I am on Ethernet 98% of the year anyway.

wilsonb · September 27, 2024, 8:50pm

So it would not matter if sys-firewall is disposable because the QubesDB is persistent and the rules are copied every time it starts? Or is QubesOS even smarter and sys-firewall has some sort of connection to QubesDB by default (without a copy)?

apparatus · September 27, 2024, 9:00pm

When the firewall rules are updated in dom0 the sys-firewall will see the changes and apply them.

SteveC · September 27, 2024, 10:14pm

And that’s exactly what I do for stuff I use infrequently!

In my case I use WiFi a lot (it’s my only route to the internet) so I wanted a more automated solution. Anyhow, I thought I’d throw that out there just in case you (or anyone else reading this) found entering the password to be a frequent annoyance.

Here’s hoping you get qubes set up exactly how you like!

wilsonb · September 28, 2024, 9:02pm

Thanks for the info. But what if I set rules before and sys-firewall is disposable? Will I lose my rules?

apparatus · September 28, 2024, 9:32pm

The firewall rules are stored in dom0.

wilsonb · September 28, 2024, 10:54pm

And sys-firewall loads those on startup?

apparatus · September 29, 2024, 7:47am

Yes.