Hello, Could someone please explain and clarify how to configure that all software installations and updates i.e. all outgoing connnections of TemplateVMs go only through Tor via Whonix-Gateway (sys-whonix)?
If there are any resources I appreciate if you refer to them.
In the Qubes OS Global Config I have the following settings:
As it states there are policy changes and the mentioned file overwrites them. Please find here the contents but I am not sure what they mean and it would be great if you could explain the lines.
I don’t understand which of the settings are the custom changes and overwrite the Global Config and what would be the default configuration of the file.Is there a reference?
/etc/qubes-rpc/policy/qubes.UpdatesProxy
$type:TemplateVM $default allow,target=sys-whonix
$tag:whonix-updatevm $default allow,target=sys-whonix
$tag:whonix-updatevm $anyvm deny
I read on the Whonix pages ( Qubes-Whonix UpdatesProxy Settings) that there is another file too but I am not sure how this interacts. An explanation would be great too.
/etc/qubes/policy.d/50-config-update.policy
qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm deny
Do you have Qubes OS 4.2?
If yes, then did you upgrade it in-place from Qubes OS 4.1?
I’m not sure why do you still have the old qrexec policy format file /etc/qubes-rpc/policy/qubes.UpdatesProxy.
The non-default policy settings in Qubes Global Config → Updates are written to the /etc/qubes/policy.d/50-config-update.policy file.
You should remove /etc/qubes-rpc/policy/qubes.UpdatesProxy file so it won’t interfere in the future.
Configuring the Default update proxy in the Qubes Global Config → Updates should be enough to configure all your templates to update over Tor.
1 Like
Yes I have Qubes OS 4.2 and did upgrade it in-place from Qubes OS 4.1.
I removed /etc/qubes-rpc/policy/qubes.UpdatesProxy.
Now everything looks fine.
If I have to add an exception because I want to preform software installation or updates not through sys-whonix: With regard to security should I choose sys-firewall or sys-net as update proxy?
From my knowledge you should never choose sys-net for direct outgoing connections. But in the documentation sys-net is mentioned in this regard: How to install software | Qubes OS
Could you please clarify? I appreciate your support!
It doesn’t matter since the traffic will go through sys-net anyway and the firewall rules in sys-firewall are not applied to update proxy. I guess you can use sys-net so you won’t waste processing resources by using sys-firewall between template and sys-net.
