Re: [qubes-users] Re: VLAN / Firewll config on router or just use sys-firewall
On Wednesday, December 26, 2018 at 2:20:15 AM UTC-8, unman wrote: > On Wed, Dec 26, 2018 at 12:55:23AM -0800, John Smiley wrote: > > On Wednesday, December 26, 2018 at 12:52:28 AM UTC-8, John Smiley wrote: > > > Does it make sense to configure a VLAN and associated firewall rules in > > > an external firewall like pfsense or can the same thing be accomplished > > > with Qubes firewall rules? > > > > For the purposes of isolating Qubes traffic on your home network... > > > > You dont say *how* you want to isolate Qubes traffic, and I can envisage > a number of different scenarios that wood fit that description. > You can certainly use Qubes firewall rules to restrict some qubes to > certain IP addresses, or ranges. The simplest way would be to put another > fw in place and have localnet deny rules for that fw: then allocate > qubes per fw. > If that doesnt fit your scenario, some more detail? Got on IRC chat with some Whonix folks and got the answers I needed for this. To clarify, I wanted to know if there is any benefit to configuring pfsense (or any firewall/router) so that each Qubes box is on its own VLAN. The answer I got was yes. One such benefit would be to make it more difficult for an attacker to jump from my son's Win10 box, which has god knows what installed on it, to my Qubes systems. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cf7bc058-7519-4bf5-b8ba-6c591a56fa0f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: VLAN / Firewll config on router or just use sys-firewall
On Wed, Dec 26, 2018 at 12:55:23AM -0800, John Smiley wrote: > On Wednesday, December 26, 2018 at 12:52:28 AM UTC-8, John Smiley wrote: > > Does it make sense to configure a VLAN and associated firewall rules in an > > external firewall like pfsense or can the same thing be accomplished with > > Qubes firewall rules? > > For the purposes of isolating Qubes traffic on your home network... > You dont say *how* you want to isolate Qubes traffic, and I can envisage a number of different scenarios that wood fit that description. You can certainly use Qubes firewall rules to restrict some qubes to certain IP addresses, or ranges. The simplest way would be to put another fw in place and have localnet deny rules for that fw: then allocate qubes per fw. If that doesnt fit your scenario, some more detail? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181226102010.u4lgcvqsc24iibmv%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: VLAN / Firewll config on router or just use sys-firewall
On Wednesday, December 26, 2018 at 12:52:28 AM UTC-8, John Smiley wrote: > Does it make sense to configure a VLAN and associated firewall rules in an > external firewall like pfsense or can the same thing be accomplished with > Qubes firewall rules? For the purposes of isolating Qubes traffic on your home network... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/24c87e3d-3b12-40cb-8cbd-a1687131317a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
