Where to create firewall?

Its not very clear to me after reading the documentation on the role of sys-firewall. Are we suppose to create firewall rules (Settings → Firewall rules tab) in the sys-firewall instance? What happens if I create firewall rules in the app-vm instance?

which one of the below is valid?

  • sys-net → sys-firewall (firewall rules) → app-vm
  • sys-net → sys-firewall → app-vm (firewall rules)

I think the second one because you can only apply the FW rules to that particular qube.

  1. Wouldn’t firewall rules applied to sys-firewall qube will be applied to all qubes attached to it?

  2. What’ll happen if I just have sys-net → app-vm (firewall rules)? What’s the purpose of sys-firewall?

If firewall rules are defined within an AppVM, this AppVM will be able to change them, thus defeating the possibility to lock an AppVM within a restricted network part. Using sys-firewall as a separate qube allows to protect malware-infected AppVMs from opening channels into the internet and loading more malware.


Firewall rules changed using the cube’s settings or with qvm-firewall in dom0, both of which does not require running cube, can be changed from within the cube?

No - the firewall rules you see are under dom0 control and cannot be changed from within a qube. They are enforced from sys-firewall which is told what to do via configuration files located in dom0. That’s quite different from firewall rules within a qube, e.g. the Windows firewall in a Windows qube.

Sorry if I formulated it in a misleading way.

Thanks for all the replies. Its still not clear to me. Let’s say I have set up like “sys-net → app-vm” and I go to “Qubes Settings → Firewall tab” on the app-vm and add some rules, will it have any effect?