I am trying to expose a port on one of my AppVMs to the outside world (LAN). I have been following this guide and have successfully set up the NAT port forwarding rules exactly as described. It works non-persistently but doesn’t survive a reboot.
It seems to be because sys-firewall is based on default-dvm. It is fully volatile and so my modifications to /rw/config/qubes-firewall-user-script on sys-firewall are not persistent.
Is this therefore a documentation bug? It has me modifying a file which isn’t persistent.
As far as a solution, is there a recommended way of fixing this problem? I see similar discussions on these forums talking about making a custom firewall VM so in my case would be something like sys-net <> sys-firewall-custom <> AppVM. But I have a few reservations about that approach -
Presumably sys-firewall is volatile for a reason and I don’t necessarily want to increase my attack surface just for the sake of persisting one nft rule.
If I made a non-volatile firewall VM based on fedora-40-xfce then I’m wondering whether all necessary “default” firewall rules exist as they would have done on sys-firewall. A quick look at nfs list table ip qubes suggests I’m OK on that front?
But again if I am going to create a firewall VM based on quite a bloated template then I’m increasing my attack surface quite a lot right? Surely there has to be a better way.
The simplest way is:
1- clone “default-dvm” to, say, “default-dvm-fw”
2- start this clone
3- make the changes in /rw/config/qubes-firewall-user-script
4- shutdown the clone
5- change sys-firewall’s template to the clone (“default-dvm-fw”)
You probably have to shutdown sys-firewall to change the template it is based on, together to any qubes using it. I usually run “qvm-shutdown --wait --all”, perform the changes, then re-start sys-whonix and whatnot…
Thanks @barto that did the trick and seems like a “reasonably secure” solution. A couple of things to add for anyone stumbling across this post in the future -
You cannot edit a disposable template via the Qube Manager GUI or XFCE menu since it just starts up a disposable to run the terminal. So you have to clone the default-dvm template to default-dvm-fw and then run qvm-run -a default-dvm-fw xfce4-terminal in dom0.
As @barto thought, in order to change the default template for sys-firewall you must shut it down along with all Qubes currently using it. This includes sys-usb which may be powering your keyboard and mouse! Fortunately I’ve just switched to PS/2.
You could script it to set netvm to none for all running attached qubes,
make changes to sys-firewall, bring sys-firewall back up, and reset the
netvm. This sounds longwinded but it is actually simple and quick.
Alternatively you could use qvm-shutdown --force - in my experience
running qubes are correctly handled when sys-firewall is restarted, but
it does come with a “caution”.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.