Restrict Policy for Net qubes

I’ve a several of Net qubes. Sometimes, I change a Net qube for an AppVM from Qubes Settings → Net qube menu list.

And I wouldn’t really want to mistake a net qube choice from the list.

Is there a way to set a network access policy for VMs. To protect against user mistakes and traffic leaks?

May be a file in /etc/qubes-rpc/policy/ like qubes.ClipboardPaste or another method?

1 Like

I’m not sure what you are asking for - the qubes firewall is intended
for just such case, but requires a sys-firewall like qube which you
switch between “Net qubes”
If you mean something beyond this (e.g. only access some IP over Tor),
then you can do that by nftables on the “Net qube”.

If you mean something beyond this can you explain in a concrete way what
the policy would be intended to allow and prevent? (Not *How but what.)

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

I have two sys-net and one sys-firewall Network qubes for plainnet (clearnet).
I have three sys-vpn Network qubes. So, I connect my AppVMs to different public VPN providers and my VPS server network.
I have three sys-whonix Network qubes.
And another one sys-vpn for work.

I would like to get a way to make rules to limit Network qubes choices for my AppVMs groups.

That’s very clear, thanks.
There is no official way to limit the choices available for a qube’s
One issue I see is that if you restrict qube->sys-firewall->Tor,
there’s nothing to stop you switching sys-firewall->sys-net so traffic
from qube would run over clear-net.
Limit on the netvm only works if the qube is directly attached to
crucial routing qube - for Whonix you lose the ability to use the qubes
firewall. Also for some VPN set up.
So what you need to cover is locking qube to a chain of network
providing qubes
- that’s not so easy.

I have done what you ask for in the past, but I stopped for just this
reason, replacing it with nftables blocking on exit points.
I don’t think that code is in any way suitable for release. I’ll
see if I can do anything with it.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.
1 Like

I have a similar setup and am often disabling and reenabling the network connections of my appVMs- by right-clicking the appVM in the Qubes Manager and selecting network. The problem is that it’s so easy to click on the wrong netVM by mistake.

Tacking on to the OP request: In the Qubes manager gui interface it would be great if one could set a default/priority netVM for each appVM, perhaps with a simple “set as default” tick box next to the Net qube entry in each appVM’s settings. With this setting in place, right clicking to select network could prioritize the default/priority netVM and none choices while also requiring a further yes/no choice when switching to a different netVM.