As explained in another thread I have created a minimal
sys-wall along with a
sys-dns using the structure explained in the documentation:
sys-net <--> sys-firewall <--> sys-dns <--> sys-wall <--> [client qubes]
Everything works as expected.
A problem arises when I add restricting rules for client qubes using the standard procedure: in the firewall tab of the qube I set the proper host, protocol and port (e.g.
mybank.com and TCP port
443). Unlike the standard case with one firewall only (
sys-firewall) the result is: networking stops to work in the client qube. If I remove the restricting firewall rules of the qube everything works again. Of course, I can manually add custom firewall rules directly in
sys-wall (and its template), however I would like to have the easiness of using the GUI. I couldn’t find any information on how exactly rules set through GUI (or through
qvm-firewall) interact with underlying firewall software. When I look at the output of
iptables -L -n -v and
nft list ruleset in
sys-firewall I don’t see any of the IP addresses I use in the restricting rules, as if there is no interaction between what I set and the actual firewall.
My question is:
What is the right way to use restricting
qvm-firewall rules with the layout recommended in the docs (with a second