On Thu, Nov 17, 2016 at 5:27 AM, Marek Marczykowski-Górecki < marma...@invisiblethingslab.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On Wed, Nov 16, 2016 at 07:29:35PM -0800, Sec Tester wrote: > > So im finally getting around to rebuilding the sys-firewall VM on a > minimal template. Put it off because i thought there would be a lot of > scripting to setup. > > > > According to documentation, it doesnt need any extra packages. > > https://www.qubes-os.org/doc/templates/fedora-minimal/ > > > > And when creating the VM, there is no specific option for a "firewall > VM", only "ProxyVM". > > > > * So is it correct to assume the sys-firewall VM is just an empty box > routing connections? > > Mostly yes. > > > * There are no specific scripts/rules/packages of protection? > > Just a script(s) applying iptables rules (based on selection in Qubes > Manager, user scripts etc). > > > * Does this actually provide any protection in the sense of a > traditional software firewall? How so? Does it stop incoming connections? > Or just add a layer of separation between sys-net & app-VMs? > > Every Qubes VM (including sys-firewall, and all AppVMs) by default block > incoming connections. But it is mostly a place which is not so easy to > compromise as sys-net and where you can limit AppVM in a way it can't > easily disable on its own. > > > * It seems sys-firewall is just there for users to create their own > custom rules in VM Manager settings? Can u give an example of rules U guys > actually use? > > For example my banking VM is limited to https only and only to banking > site. This prevents opening wrong links there by mistake and also > loading some non-https content if the site links to it (it happens they > load some ads using http...). Similar for my mail VM(s) - only have > access to mail server so even if I accidentally click on some link in > a message, it wont load there. > > my bitcoinVM only connects to Electrum servers > > On Wed, Nov 16, 2016 at 08:20:43PM -0800, Sec Tester wrote: > > It also raises the question, > > > > Is there any benefit running a VPN-Proxy-VM through sys-firewall? > > > > Or maybe save the overhead and just connect VPN-Proxy-VM directly to > > sys-Net? > > I'd connect directly to sys-net. And depending on exact case, connect > sys-firewall to that VPN-Proxy-VM. > > - -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJYLWn5AAoJENuP0xzK19csp6cH/3fCNYFTKHHA1RsCwLdtuj5m > b4lAg/EfkWWDcG6MXGkdBwVdYz3NH/fnapDzbRugtdDk8u1aUJOWUevAxksTF3xu > 3d4c9uv8YzRTjyE6MU9jJ7NONMrAZbZigjlM8Rh9TJD1jXSUENacHvBKdaDVwOx9 > 6XKKgInRfhovvY7SUWmYXygFGNJDDp1185DS8SsyHS+IIFIABgDKcxZafeC30wUt > GYaU9EqxubZY977jZUrNmEaWQTqjn01JLkP2PMcuTEOeopySDUjo3Vyv22+jbwXu > szPdrjsVHvaUOKCRRngnbsCnNQZdspZGobWWcrnzrm//Kd3sjwHrMnM+fMuaPG4= > =VVG2 > -----END PGP SIGNATURE----- > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/qubes-users/20161117082738.GC1145%40mail-itl. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qCbk-2iRwsriVZoHUj%2Bouy_S%3D%2BZXqoU6JMPDVH6PQFQ%2BQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.