On Wednesday, November 13, 2019 at 5:16:11 AM UTC+7, Steve Coleman wrote: > > On 2019-11-12 12:38, 'Jonas' via qubes-devel wrote: > > > I would like to enable opensnitch firewall on every VM by default. > > > what do you think about this??? > > The daemon is implemented in Go and needs to run as root in order to interact with the Netfilter packet ... WTF ... runs away screaming ......
> To be frank, it may look pretty, but it would be a big waste of CPU and > memory resources while providing absolutely no additional security. > > - A firewall that runs inside the AppVM is easily circumvented by any > application or process running in that VM, thus no real security. > > - You already have a real and secure Firewall by default sitting in the > sys-firewall VM, so why add an additional drain on your memory and CPU > resources. Why not learn to use what you already have available? > > - You already have the means to see what you AppVM's are connecting to > if that is what you are after. You can simply run an app like etherape > (wireshark, or tcpdump) in the sys-firewall VM and see everything being > connected to all in one app. But that does degrade security model > somewhat, because running any user level apps there is opening the > attack surface a bit. > > My suggestion is to learn the system you have first before adding all > kinds of extra security compromising software/baggage that you don't > really need. > > > On my setup this works very well. This should be default!! > -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/9df72588-3840-4551-add1-44378cc0c377%40googlegroups.com.
