I’m thinking about a general firewall solution, working between local qubes only.

task

I want to be able to implement a client-server model like DB-Server-VM / DB-Client-VM with default network communication mechanisms.

nice

As far as possible, I want to stay on the default Qubes’ way.

idea

• creating a virtual network interface in dom0
• connecting a vm-net-local to this device
• connecting a vm-firewall-local to vm-net-local
• connecting DB-Server-VM and DB-Client-VM to that firewall
• creating the needed firewall rules in vm-firewall-local

I’m not very familiar with Xen:
Is it possible to create the interface in dom0 using the dummy kernel module, so that Xen accepts it as a normal network interface?

In that case it would show up in vm-net-local and all following tasks would go the normal Qubes’ way.

Any suggestions?

Do you have to create an interface in dom0 specifically? Why don’t create a virtual network interface directly inside vm-net-local?

creating network devices in dom0 is not what anyone would recommend, and it’s against the very basic Qubes principles.

I sugget to read the Qubes Firewall documentation, especially the part talking about enabling-networking-between-two-qubes

I assume that’s what you actually want, isn’t it?

Yes, but in a more general way and explicitly separated from the outside.

I want to play with the firewall rules, checking for what is possible, but without the risk of opening my machine to the outside.

If I’ll work on the default firewall without a complete understanding what happens, this is dangerous.

See it as a sandbox for my network training, but with concrete functions later on in mind.

@otter2, sorry, wanted reply to you directly

If I do this directly in the VMs, there will be the problem how to connect them, as there’s no virtual switch or anything else to use.

Isn’t that what virtual bridge (virbr) literally is?

But regardless of that I believe you would want to connect server to netvm and client to firewall, not both to firewall if I understand what you are trying to do correctly.

You simply create another firewall - which is just an Appvm that ‘provides network’ - but do not connect it to any netvm.
This way you will have a completely separated ‘internal network’ where whatever VM you connects to this custom firewall, those can be communicating with eachother - once applied the custom firewall rules linked above

I don’t know the details, but I think it’s different.

On a normal Xen-Server the interfaces are all in dom0 and there exist things like virtual bridges and so on. I’m not sure what happens in the background, when you define them with the Xen Orchestrator.

In Qubes-OS I don’t know, how to create them and what will happen to the security.

Therefore the idea with the virtual interface in dom0. It’s only one thing not the Qubes’ way, but at least done with secure tools we have already in dom0.

Maybe I’m wrong, but I think of this virtual network interface as if it would be a physical card, not plugged in, but with a static address.

Therefore there should be no security problem.

In QubesOS you set a vm to provide network, and set it as the network qube for other qubes

I’ll try out your last idea. Would be completely what I want for the moment.

I’ll tell you the result later, maybe tomorrow.

If you just want to play with firewall, zrubi’s suggestion is better and much easier to do. What I said is closer to fully simulating how qubes would talk to an external host.

(and you don’t need to configure virtual bridge yourself)

Ok, I agree.

Both approaches are easy to handle.

So I’ve got one way (otter2), what should work directly for my example and a second way (zrubi) for training my network skills.

As said, I’ll report later

Thanks for your help, guys!

Yep:

• My example works like a charme.
• I’ll start my training using the second way later.