Sys-net or sys-firewall

sys-net or sys-firewall
Hi all, well im new to Qubes and im struggling to find an answer about the internet setup on Qubes for me, i am currently connected via ethernet and i directed the said ethernet (usb) connection to sys-net and on my qubes VMs i selected sys-firewall yet i do not have any firwall rules set up and i was wondering if i am exposed or vulnerable in someway, and if im even suppose to be connected to sys-firewall as when i watch many YT videos i see people stating to connect to sys-net on their VM Qube for example so im really lost now.

I thought that Ethernet 1st connects to sys-net then from sys-net it goes straight to sys-firewall and thus every other VM Qube going online should only be taking their connection from sys-firewall or do i have it the wrong way around and do i need firewall IPaddress rules or not?
any help much appreciated please :slight_smile:

Hi

Your qubes should be using sys-firewall as their network qube (also called netvm). However, it would be best practice to use the usb passthrough to give the ethernet usb device to sys-net whose purpose is to be exposed to the wild.

This works this way:

[all your qubes] → [sys-firewall] → [sys-net]

if sys-net is compromised, your qubes are protected by sys-firewall, a sane qube with a working firewall and that is not directly exposed to an external threat.

you could also change the netvm of sys-firewall to be sys-usb, however I am not sure it is the best solution, but it will work for sure. If sys-usb gets compromised because of the network, this could potentially give access to your usb devices to an attacker. But if the usb device is used from sys-net, sys-net will be compromised and all other usb devices will not be exposed.

Hi Solene, thanks for your reply, i think i understand, i think im doing it correctly then but cant confirm from reading your post, does it seem im doing it correctly by going;
Ethernet - sys-net - sys-firewall then all other VM Qubes only ever use sys-firewall as thats my current set up?

If so then do i need some firewall rules or im i ok with no firewall rules do you think?
thanx

is it good this way

all qubes from templates are blocking all incoming connections by default, you do not have to do anything except if you need specific rules like blocking outgoing traffic to some hosts / ports etc…

if you need a VPN, you would create a vpn qube that uses sys-firewall as a netvm then you could plug your qubes to this vpn qube. (is it recommended to add a sys-firewall equivalent between the qubes of the vpn qubes, for the exact same reasons there is one between sys-net and your qubes).