Sys-firewall vs sys-net

Lace · April 2, 2024, 7:25pm

What exactly are the differences between:
sys-firewall vs sys-net
?

I heard for example that sys-firewall allows for both network connectivity as well as USBs, while sys-net apparently only allows for network but no USB connectivity
(is this accurate?)

solene · April 2, 2024, 7:40pm

sys-net is exposed to real world network by having access to the network interfaces

sys-firewall is meant to be a safe qube to handle firewall rules because sys-net can’t be trusted

that’s why sys-firewall is just behind sys-net, if you need to apply firewall rules to your qubes, it will be done in their netvm, which is sys-firewall by default.

alimirjamali · April 2, 2024, 7:51pm

In addition to Solene’s great response, lets list few more differences.

sys-net virt_mode is HVM as PCI devices (Ethernet, WiFi, …) should be attached to it. Whereas sys-firewall virt_mode is PVH. This has implications on memory usage and balancing.
sys-net klass (class) is AppVM by default to allow storage of WiFi credentials as well as static IP settings. Whereas sys-firewall klass is DispVM (disposable vm). So it is volatile and its private image vanishes after shutdown. For the reasons solene mentioned.

Lace · April 3, 2024, 1:23am

Thank you both for these explanations, it gives me much more clarity as I move forward building out my network (and cloning or spinning up little VMs)