Its not very clear to me after reading the documentation on the role of sys-firewall. Are we suppose to create firewall rules (Settings → Firewall rules tab) in the sys-firewall instance? What happens if I create firewall rules in the app-vm instance?
If firewall rules are defined within an AppVM, this AppVM will be able to change them, thus defeating the possibility to lock an AppVM within a restricted network part. Using sys-firewall as a separate qube allows to protect malware-infected AppVMs from opening channels into the internet and loading more malware.
Firewall rules changed using the cube’s settings or with qvm-firewall in dom0, both of which does not require running cube, can be changed from within the cube?
No - the firewall rules you see are under dom0 control and cannot be changed from within a qube. They are enforced from sys-firewall which is told what to do via configuration files located in dom0. That’s quite different from firewall rules within a qube, e.g. the Windows firewall in a Windows qube.
Thanks for all the replies. Its still not clear to me. Let’s say I have set up like “sys-net → app-vm” and I go to “Qubes Settings → Firewall tab” on the app-vm and add some rules, will it have any effect?