On Wednesday, November 13, 2019 at 5:16:11 AM UTC+7, Steve Coleman wrote:
>
> On 2019-11-12 12:38, 'Jonas' via qubes-devel wrote:
>
> > I would like to enable opensnitch firewall on every VM by default.
>
> > what do you think about this???
>
>
The daemon is implemented in Go and needs to run as root in order to
interact with the Netfilter packet ... WTF ... runs away screaming ..
> To be frank, it may look pretty, but it would be a big waste of CPU and
> memory resources while providing absolutely no additional security.
>
> - A firewall that runs inside the AppVM is easily circumvented by any
> application or process running in that VM, thus no real security.
>
> - You already have a real and secure Firewall by default sitting in the
> sys-firewall VM, so why add an additional drain on your memory and CPU
> resources. Why not learn to use what you already have available?
>
> - You already have the means to see what you AppVM's are connecting to
> if that is what you are after. You can simply run an app like etherape
> (wireshark, or tcpdump) in the sys-firewall VM and see everything being
> connected to all in one app. But that does degrade security model
> somewhat, because running any user level apps there is opening the
> attack surface a bit.
>
> My suggestion is to learn the system you have first before adding all
> kinds of extra security compromising software/baggage that you don't
> really need.
>
> > On my setup this works very well. This should be default!!
>
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/9df72588-3840-4551-add1-44378cc0c377%40googlegroups.com.