How can I configure Qubes firewall to work with Reflexive Access Control Lists?
This is already in place by default in the qubes templates and linux distros in general. It’s what allows the replies to your internet requests back in. You can view the rules by running “sudo iptables -L -t filter”
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
DROP udp -- anywhere anywhere udp dpt:bootpc
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
QBS-FORWARD all -- anywhere anywhere
DROP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
The lines with “ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED” are the rules permitting return traffic from established sessions back in. The RELATED parameter also allows in response traffic on a different port for some protocols like ftp.
The INPUT chain has the rules for traffic trying to reach the local qube and the FORWARD chain handles traffic routed to another qube. The FORWARD chain affects traffic going through your sys-net and sys-firewall qubes.
Glad that it works at least for one person… Do those firewald helpers work perfectly for you too?