The manpage for qvm-service
says:
qubes-firewall
Default: enabled only in ProxyVM
Dynamic firewall manager, based on settings in dom0 (qvm-fire‐
wall, firewall tab in qubes-manager). This service is not sup‐
ported in netvms.
(I interpret “not supported in netvms” to apply to sys-net
.)
The Qubes OS Firewall documentation says:
Qubes does not support running any networking services (e.g. VPN, local DNS server, IPS, …) directly in a qube that is used to run the Qubes firewall service (usually sys-firewall) for good reasons.
(I interpret “any networking services” to include network-manager
and its alternatives, i.e. this statement would seem to apply to sys-net
)
Yet when I create a pristine sys-net
(process: sudo qubesctl state.sls qvm.sys-net
) and take a look:
user@sys-net-pristine:~$ ls /run/qubes-service
clocksync qubes-firewall qubes-update-check
network-manager qubes-network qubes-updates-proxy
user@sys-net-pristine:~$ pgrep qubes-firewall
557
I guess I have two questions:
-
What purpose does
qubes-firewall
have insys-net
? -
Am I misreading/overinterpreting the documentation or is there a discrepancy here?
Thanks!