Hey! First post, but have been lurking and troubleshooting here for close to a year now…
Anyway, I had this idea to create an network attached appvm that monitors network traffic using programs like Etherape and Wireshark but also doubles as a system wide VPN tunnel…
I created a sys-net-mon from a kicksecure template, installed Etherape, Wireshark, NorskVPN GUI and UFW. I set UFW to deny all inbound by default, and I’m not sure if this is correct practice or not, but I also set IP-Tables rules such as drop all inbound and allow loopback and I used IP-Tables-Persistent and Net-Filter-Persistent to enable the rules…
Now heres my question… I have sys-net-mon in-between sys-net and sys-firewall as my thought process was that I want to inspect all connections and packets across all qubes and tunnel all traffic through a system-wide VPN with TOR running on top.
It works. It works great. But is it good practice?
Is it wise to have an appvm connected directly to sys-net, or would it be smarter to put sys-net-mon on top of sys-firewall and monitor traffic on a per qube basis connecting qubes to sys-net-mon instead of sys-firewall…
I’m an intermediate user and am still getting used to the quirks and am no expert on networking or whatever, but i like the way my system is at the moment but fear I am putting my station at rist by having an appvm connected directly to sys-net and running sys-firewall off that…
But I tell ya… When I fire up Etherape and see that one green line that expands and contracts with network activity from all qubes being tunneled is a great feeling… I just hope I haven’t put my entire system at risk by doing this…
Any input would be appreciated or suggestions for a better way and correct practice…
Cheers 