Reflexive Access Control Lists

How can I configure Qubes firewall to work with Reflexive Access Control Lists?

This is already in place by default in the qubes templates and linux distros in general. It’s what allows the replies to your internet requests back in. You can view the rules by running “sudo iptables -L -t filter”

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             state INVALID
DROP       udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
QBS-FORWARD  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            


The lines with “ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED” are the rules permitting return traffic from established sessions back in. The RELATED parameter also allows in response traffic on a different port for some protocols like ftp.

The INPUT chain has the rules for traffic trying to reach the local qube and the FORWARD chain handles traffic routed to another qube. The FORWARD chain affects traffic going through your sys-net and sys-firewall qubes.

Glad that it works at least for one person… Do those firewald helpers work perfectly for you too?