In the documentation it is said to put your firewall rules inside of the “qubes-firewall-user-script” instead of “rc.local”:
I don’t understand the “WHY” it must be the case, what is the interest over “rc.local”, what is the usecase that “rc.local” can’t handle properly ?
Any example of something “rc.local” won’t be able to do correctly but “qubes-firewall-user-script” will do correctly ?
Doesn’t qubes-firewall-user-script get added to the netvm, and rc.local only to the local firewall?
I am not aware of the existance of different firewall “local” and “netvm” one. Are you sure that it exist ? And if it exist, what is the supposed difference between them ?
Can you use qubes-firewall-user-script without running the qubes-firewall service?
I could be completly wrong, but I thought it would update the rules in sys-firewall, if that is the netvm used.
qubes-firewall-user-script is only executed when the qubes-firewall service is enabled. And the script only apply to the current VM
+1
Also:
The rules in rw/config/qubes-firewall.d are executed before those in
qubes-firewall-user-script, and anything in rc.local after the
network is up. I think this is the usecase you look for.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.