sys-net or sys-firewall
Hi all, well im new to Qubes and im struggling to find an answer about the internet setup on Qubes for me, i am currently connected via ethernet and i directed the said ethernet (usb) connection to sys-net and on my qubes VMs i selected sys-firewall yet i do not have any firwall rules set up and i was wondering if i am exposed or vulnerable in someway, and if im even suppose to be connected to sys-firewall as when i watch many YT videos i see people stating to connect to sys-net on their VM Qube for example so im really lost now.
I thought that Ethernet 1st connects to sys-net then from sys-net it goes straight to sys-firewall and thus every other VM Qube going online should only be taking their connection from sys-firewall or do i have it the wrong way around and do i need firewall IPaddress rules or not?
any help much appreciated please
Your qubes should be using sys-firewall as their network qube (also called netvm). However, it would be best practice to use the usb passthrough to give the ethernet usb device to sys-net whose purpose is to be exposed to the wild.
This works this way:
[all your qubes] → [sys-firewall] → [sys-net]
if sys-net is compromised, your qubes are protected by sys-firewall, a sane qube with a working firewall and that is not directly exposed to an external threat.
you could also change the netvm of sys-firewall to be sys-usb, however I am not sure it is the best solution, but it will work for sure. If sys-usb gets compromised because of the network, this could potentially give access to your usb devices to an attacker. But if the usb device is used from sys-net, sys-net will be compromised and all other usb devices will not be exposed.
Hi Solene, thanks for your reply, i think i understand, i think im doing it correctly then but cant confirm from reading your post, does it seem im doing it correctly by going; Ethernet - sys-net - sys-firewall then all other VM Qubes only ever use sys-firewall as thats my current set up?
If so then do i need some firewall rules or im i ok with no firewall rules do you think?
thanx
all qubes from templates are blocking all incoming connections by default, you do not have to do anything except if you need specific rules like blocking outgoing traffic to some hosts / ports etc…
if you need a VPN, you would create a vpn qube that uses sys-firewall as a netvm then you could plug your qubes to this vpn qube. (is it recommended to add a sys-firewall equivalent between the qubes of the vpn qubes, for the exact same reasons there is one between sys-net and your qubes).
I have read this statement manytimes and i just dont seem to be able to grasp it fully, please kindly help me understand better as i am trying to set up an app qube to run OpenVPN via so that when i go mobile which i sometimes do i sometimes need to either use my wifi and/or USB adapter to log onto another persons network and/or internet cafe etc and when this happens i would love to be able to run everything only through the OpenVPN with a Kill Switch active so i did as you said, i set up a new Qube as persistent home, volatile root - default sys-firewall but then i quickly discovered that i dont know what to do next.
if you make a qube with openvpn running in it and providing network to other qubes (it is a checkbox in the qube settings), you will have to change your qubes network provider to be the qube with openvpn, instead of sys-firewall
last time i checked i found wireguard to be sketchy in that it was not fully opensource or something so i was put off it and reverted to OpenVPN, do you know of any reasuring facts about wireguard that make it better than openVPN otherthan its speed and bloatware being better?
wireguard is stateless, there are way less problems with it if you have a bad internet connection or that you switch your connection between access points, it’s also fully open source.
you can use OpenVPN, the guide should apply very well, the configuration import will be a bit different, you may have to replace the word “wireguard” by “openvpn”
