Should I only allow one outgoing dsthost for my sys-vpn?

Here it gives a list like this

    45.83.220.0/24  Sweden (Malmö)
  141.98.255.0/24  Sweden (Malmö)
193.138.218.0/24  Sweden (Malmö)
185.213.152.0/24  Sweden (Helsingborg)
185.213.154.0/24  Sweden (Gothenburg)
  185.65.135.0/24  Sweden (Stockholm)
  185.65.134.0/24  Netherlands (Amsterdam)

If I were connecting to Amsterdam I should ONLY add 185.65.134.0/24 and drop everything else, right? Hypothetically let’s say I had all of these open as outgoing rules. What are the security implications for that?

Also, I spawned a disposable off my appvm disposable template but the firewall isn’t set up for it. There are no rules. Am I likely leaking my DNS? The disposable doesn’t have the same firewall rules, but dns leak isn’t reporting a leak.

If you plan to use only one specific server then you can limit the outgoing connections to this server IP address (e.g. 185.65.134.123/32), port (e.g. 443) and protocol (e.g. UDP).
This way you’ll be sure that only connection to this IP/port/protocol will be allowed.
If you allow 185.65.134.0/24 then some process can access come random IP/port/protocol for this IP range e.g. some DNS server 185.65.134.111 port 53 UDP.

It works for me.
Describe in more details how did you setup firewall rules in disposable template and how are you checking the firewall rules in the disposable template and the disposable based on this disposable template.

# OPENVPN WITH MULVAD
qvm-clone --verbose debian-12  debian-12-ovpn-00
qvm-run --user=root  --pass-io debian-12-ovpn-00 -- apt install -y openvpn
qvm-shutdown debian-12-ovpn-00 
qvm-create --verbose --template debian-12-ovpn-00 --label  green openvpn-mul-00
# https://mullvad.net/sv/help/qubes-os-4-and-mullvad-vpn open this and follow
qvm-run --user=root  --pass-io openvpn-mul-00 -- "systemctl disable openvpn.service"
qvm-run --user=root  --pass-io openvpn-mul-00 -- "mkdir -p /rw/config/vpn"
qvm-run --user=root  --pass-io openvpn-mul-00 -- "cp /home/user/QubesIncoming/*/*/* /rw/config/vpn"
qvm-run --user=root  --pass-io openvpn-mul-00 -- "chmod 755 /rw/config/vpn/update-resolv-conf"
qubes-prefs openvpn-mul-00 netvm sys-firewall
qubes-prefs default-dvm netvm sys-firewall
# Test that OpenVPN connects
# Enable autostart of OpenVPN, change xx_xxx
qvm-run --user=root  --pass-io openvpn-mul-00 "echo 'openvpn --cd /rw/config/vpn --config mullvad_xx_xxx.conf --daemon' >> /rw/config/rc.local"
qvm-shutdown openvpn-mul-00
qvm-features openvpn-mul-00  menu-items "org.gnome.Terminal.desktop xfce4-file-manager.desktop"
qvm-prefs openvpn-mul-00 provides_network True
qvm-prefs openvpn-mul-00 template_for_dispvms True # makes it a disposable template
# NOTE THAT THIS WONT PROTECT FROM DNS LEAKS CHOOSE THE ONE YOU NEED
qvm-firewall openvpn-mul-00 add accept dsthost=141.98.255.0/24
qvm-firewall openvpn-mul-00 add accept dsthost=185.213.152.0/24
qvm-firewall openvpn-mul-00 add accept dsthost=185.213.154.0/24
qvm-firewall openvpn-mul-00 add accept dsthost=185.65.134.0/24
qvm-firewall openvpn-mul-00 add accept dsthost=185.65.135.0/24
qvm-firewall openvpn-mul-00 add accept dsthost=193.138.218.0/24
qvm-firewall openvpn-mul-00 add accept dsthost=45.83.220.0/24
qvm-firewall openvpn-mul-00 add accept dsthost=45.83.220.0/24
# qvm-firewall openvpn-mul-00 add accept proto=icmp # TODO wtf is this
# qvm-firewall openvpn-mul-00 add accept specialtarget=dns # TODO what is this allowing 
# qvm-firewall openvpn-mul-00 add accept dsthost=SERVER-IP # replace server ip with mullvad ip
qvm-firewall openvpn-mul-00 list # find NUMBER for accept icmp
qvm-firewall openvpn-mul-00 del --rule-no NUMBER # find NUMBER for accept icmp
qvm-firewall openvpn-mul-00 add --before NUMBER drop proto=icmp # find NUMBER for accept icmp
qvm-firewall openvpn-mul-00 list # find NUMBER for accept icmp
qvm-firewall openvpn-mul-00 add drop # else drop

qvm-prefs openvpn-mul-00 netvm sys-firewall
qvm-clone --verbose openvpn-mul-00 openvpn-mul-01
qvm-create --verbose --template openvpn-mul-00 --disp --label orange ndisp-mul-net-00
qvm-firewall ndisp-mul-net-00 reset
qvm-firewall ndisp-mul-net-00 add accept dsthost=<SERVER_IP> # pick the location above
qvm-firewall ndisp-mul-net-00 add drop proto=icmp # find NUMBER for accept icmp
qvm-firewall ndisp-mul-net-00 add drop # else drop

qvm-start ndisp-mul-net-00 # needs to be started to be default_netvm
qvm-prefs ndisp-mul-net-00 provides_network True
qubes-prefs default_netvm ndisp-mul-net-00
qvm-kill ndisp-mul-net-00

That’s exactly what I did. The firewall should’ve at least been inherited so I’m probably just owned or backdoored or I accidentally cleared it. Also here’s my current disposable for my vpn. Is it okay?

Screenshot_2024-10-22_19-30-171145×741 24.3 KB

This is the simplest firewall solution (must be set in dom0 terminal, not within the qube settings / firewall tab):

ndisp-mul-net-00 qube is a named disposable and firewall rules are inherited from its disposable template openvpn-mul-00 on creation, but changes in firewall rules for named disposable are persistent and no longer tied to its disposable template.

Also note that this guide is for Qubes OS 4.1 and won’t work for Qubes OS 4.2, because the firewall was changed from iptables to nftables so iptables rules won’t work.

Mine is okay though right? Can I test it?

Oh i figured it would be okay as long as I set up the named disposable firewall. I guess I’ll have to read the other guide and adapt it or something.