Saltstack + firewall

Todor · October 14, 2024, 2:57pm

Hello,

I am trying to automate qube(s) creation and part of it is to set specific firewalls rules for each VM. I don’t see an option to do this with Saltstack, am I missing something? I am looking at qubes-mgmt-salt-dom0-qvm/README.rst at master · QubesOS/qubes-mgmt-salt-dom0-qvm · GitHub but if there is more complete guide, please let me know.

Regards

DVM · October 14, 2024, 3:28pm

I don’t think it’s been implemented, there’s a feature request for that:

github.com/QubesOS/qubes-issues

qvm.firewall module for salt

opened 05:36PM - 22 Oct 20 UTC

3hhh

T: enhancement C: mgmt P: default

**The problem you're addressing (if any)** Currently there's no `qvm.firewa…ll` module for salt. This is inconvenient as it either requires users to use chains of `qvm-firewall` commands or replace the `firewall.xml` file and restart qubesd via salt (maybe `qvm-firewall --reload' suffices, idk). **Describe the solution you'd like** `qvm.firewall` module allowing a full specification of all rules for a target VM. If these are in place already, the state is OK, otherwise existing rules are wiped out and replaced with the specified ones. **Where is the value to a user, and who might that user be?** Convenience, central place to manage rules outside of the GUI, compatibility with future Qubes OS versions. **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** https://github.com/QubesOS/qubes-mgmt-salt-dom0-qvm/blob/master/README.rst **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** -

Your only option would be to run dom0 commands with salt using the qvm-firewall tool.

quazzle · March 2, 2025, 2:40pm

This works for me:

enable-firewall:
  cmd.run:
    - name: |
        printf "action=accept specialtarget=dns
        action=accept proto=icmp
        action=drop" | qubesd-query dom0 admin.vm.firewall.Set {{myqube}}

The firewall rules can be dumped from an existing qube via qvm-firewall --raw myqube list