I am trying to use Archlinux so I need to allow my Arch template to connect to the AUR. I stumbled on many topics during my search, but I don’t know a lot about network so I have some questions.
In this topic the solution seems to make pacman and makepkg use the proxy 127.0.0.1:8082 which I assumed was the tinyproxy adress. I don’t really understand the commands provided, so I tried to figure what they do before using them.
Then, I found this post:
which is quite self explanatory, so I used it. I managed to install yay for example, but it seems that this parameters make my template connected to the internet, because I could open firefox and browse on the internet, so it looks like it is not the tinyproxy…
From this I had the idea to connect my Arch template to sys-firewall and set up firewall rules to only what is useful to AUR (AUR, github, etc.). I tried to install for example VSCode, I added some microsoft and github links after each error of no connection, and managed to install it. From what I read, it can sometimes not work (see https://groups.google.com/g/qubes-devel/c/niMbDhS_nWI), but I don’t understand why. And I also see this topic talking about setting up a new proxy, based on tinyproxy, to which we can add some selected websites:
The questions I have are:
What is the 127.0.0.1:8082 address and what happened when I exported the http proxy?
How unsafe is it to connect a template to sys-firewall and add websites manually? (my threat level is not high, I use Qubes for privacy and peace of mind, but I like to know what can happen).
What is the difference between adding a website to the firewall and creating a new proxy?
Thanks for the reply!
I deactivated the NetVM on the template, applied the changes and it works well!
After some more reading (especially How to install software | Qubes OS for the n-th time) I think I understand what 127.0.0.1:8082 does.
To sum up for potential interested readers: all 127.X.X.X address redirects to the local machine (i.e. your computer). When you tell an application to use 127.0.0.1:8082 address, Qubes redirects the query to your machine and precisely to a NetVM which reroutes the query through the tinyproxy (embedded in the VM) to the global internet.
In a short way: tinyproxy does NOT forbid the template to access other website than the ones to install package. How it works is the following: the only way for an app to access the internet is to send the request to the 127.0.0.1:8082 address. The security relies in the fact that YOU choose the apps that use this address as a proxy (I don’t really see why a non-malicious app would send its request to this address as normally it would just send it to the local machine…). So, the security doesn’t rely on the proxy choosing specific websites to install and update packages (which is not realistic because of all the possible links and mirror links), but on the user to select which application can connect to the internet by telling it to use 127.0.0.1:8082 address.
Please correct me in any way if I am wrong, as I am not a network expert.