Sys-firewall vs sys-net

What exactly are the differences between:
sys-firewall vs sys-net

I heard for example that sys-firewall allows for both network connectivity as well as USBs, while sys-net apparently only allows for network but no USB connectivity
(is this accurate?)

sys-net is exposed to real world network by having access to the network interfaces

sys-firewall is meant to be a safe qube to handle firewall rules because sys-net can’t be trusted

that’s why sys-firewall is just behind sys-net, if you need to apply firewall rules to your qubes, it will be done in their netvm, which is sys-firewall by default.


In addition to Solene’s great response, lets list few more differences.

  • sys-net virt_mode is HVM as PCI devices (Ethernet, WiFi, …) should be attached to it. Whereas sys-firewall virt_mode is PVH. This has implications on memory usage and balancing.
  • sys-net klass (class) is AppVM by default to allow storage of WiFi credentials as well as static IP settings. Whereas sys-firewall klass is DispVM (disposable vm). So it is volatile and its private image vanishes after shutdown. For the reasons solene mentioned.
1 Like

Thank you both for these explanations, it gives me much more clarity as I move forward building out my network (and cloning or spinning up little VMs)

1 Like