SERIOUS? qvm-firewall bypass? possibly if you do not understand qvm-firewall and qubes-firewall service!

General Discussion
21

i don’t know what is your issue honestly. qvm-firewall works like a charm for me.

22

Not Quite.
In Qubes, when you set the “provides network” property, the qubes
firewall is enabled.
If you choose to stop the qubes-firewall service, the qubes-firewall
table will not be updated: changes to the firewall of attached qubes
will not be reflected in the tables; newly attached qubes will not
feature at all - this means that traffic from them will be dropped.
Your qube will not be blocked from starting in this state, but all traffic
from it will be blocked.
No notification is given if the qubes-firewall service is not running.

The situation is different when using Whonix. By default the
qubes-firewall is not supported. This is fully documented in the Whonix documentation

I think the Qubes documentation is deficient in not making this
clear.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

2 Likes
23

I am reassured… I understand better now.

I was concerned that I had never seen the qubes-firewall service inside th Settings interface, and I was not sure that it was present and running correctly. It requires manual configuration to disable it, and then to create an open configuration like in Whonix.

If all is well, then everything should automagically work in almost all cases.

I think the main exception is the case of a qube with Whonix as its netvm, as confirmed by @unman. In this situation, I feel that only documentation is possibly insufficient.

In my ideal world, it seems better with something similar to:

  • setting qubes firewall rules should be forbidden when no service is running in the netvm
  • setting a no-firewall netvm should be forbidden when these rules are present.

In anomalous situations for the firewall service - OOM, choosing of artisanal templates, … - it is not so clear to fail-closed (to me). But maybe this is already assured.

If the stakes were high (not so much for me), I think I would use multiple layers, and include fixed memory firewall vm - with careful choice of the amount.