Why is the qubes-firewall service enabled in sys-net?

Euwiiwueir · May 14, 2024, 5:20pm

The manpage for qvm-service says:

   qubes-firewall
          Default: enabled only in ProxyVM

          Dynamic firewall manager, based on settings in  dom0  (qvm-fire‐
          wall,  firewall tab in qubes-manager).  This service is not sup‐
          ported in netvms.

(I interpret “not supported in netvms” to apply to sys-net.)

The Qubes OS Firewall documentation says:

Qubes does not support running any networking services (e.g. VPN, local DNS server, IPS, …) directly in a qube that is used to run the Qubes firewall service (usually sys-firewall) for good reasons.

(I interpret “any networking services” to include network-manager and its alternatives, i.e. this statement would seem to apply to sys-net)

Yet when I create a pristine sys-net (process: sudo qubesctl state.sls qvm.sys-net) and take a look:

user@sys-net-pristine:~$ ls /run/qubes-service
clocksync        qubes-firewall  qubes-update-check
network-manager  qubes-network   qubes-updates-proxy
user@sys-net-pristine:~$ pgrep qubes-firewall
557

I guess I have two questions:

What purpose does qubes-firewall have in sys-net?
Am I misreading/overinterpreting the documentation or is there a discrepancy here?

Thanks!

unman · May 15, 2024, 10:38am

I believe that there remain functional chains in the qubes-firewall
table. nft list table qubes-firewall in sys-net

I think you are misinterpreting the documentation. It remains true that
the qubes-firewall service is not supported in sys-net, (netvms is an
confusing term that should be replaced in the manpage), in the sense
that firewall settings for qubes will not be functional there.
I think that your interpretation of “any networking services” to
include network-manager is off the mark. You obviously understand that
sys-firewall provides some networking services.

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.