Route internet traffic through multiple firewall appvms - does it make sense?

Does it make sense to route internet traffic in this way:

  1. netvm with network device: Open BSD (hvm)
  2. firewall: fedora minimal (pvh)
  3. firewall: gentoo Gnome (pvh)
  4. appvm: debian Gnome

Or this way:

  1. netvm with network device: Open BSD (hvm)
  2. firewall: gentoo Gnome (pvh)
  3. firewall: debian minimal (pvh)
  4. fireall: fedora minimal (pvh)
  5. appvm: debian Gnome

Would this protect the computer better or just increase the attack surface?

Kind regards,

If all those firewalls do is packet filtering, having different firewalls in a stack doesn’t necessarily reduce the attack surface significantly. However, if you plan on having a packet filtering firewall, a bastion host, an application proxy, etc., run them in different qubes and have different packet filtering firewalls in between them and the userspace VM’s, that could make the life of an attacker more difficult. But, with the extra “diversity” you get increased operational complexity (patching and updating all of those, hardening them properly, etc.) which subtracts from the overall security of the system. In sum, your mileage may vary :slight_smile:

1 Like

it is really depends on what are you expecting to be protected from?

In a typical use case (when your appvm do not accessible from the external network) it is just makes YOUR life harder.

Moreover, If you are not using any custom filtering on those firewalls, then it is not makes any difference at all security wise. (compared to a single firewall setup)

What are you trying to achieve by this? Is there some significance in
the fact that you have different distros?
In your examples the firewall at (2) will only see traffic that appears
to originate from (3)
Unless you are doing some deep inspection it looks like a waste of
time and resources.

My idea may have seemed absurd - after all, I didn’t know myself whether it would be beneficial.

I am looking for a way to reduce the risks of surfing the Internet. I am less interested in protecting a single AppVM, but more in protecting the whole system. The following measures are still feasible with relatively little effort:

  1. AppVM: Block scripts in Firefox, harden Firefox with customized settings.
  2. FirewallVM: make it disposable, base it on a minimal template.
  3. NetVM: make it disposable, base it on a minimal template.

For Whonix accordingly.

What can be done usefully beyond these simple measures?

Well, it all depends on how much complexity are you willing to trade for a bit more security. For example, you could have a application layer proxy in its own VM to provide protection against certain attacks (and provide URL filtering, etc.) and only use your browser through that proxy. You could also deploy a pihole type VM to perform URL filtering. You could apply hardening rules as described here: You could also deploy file integrity monitoring on your non-disposable qubes, etc.

Ultimately, if maximum security is required, Qubes OS can’t do that. Only an air gapped system could offer something like that (with the air gap bridged through just capture of the video rendering and the mouse/keyboard interface alone, with no network in between.