Re: [qubes-users] VPN before sys-firewall ?
I’m currently using: VMs -> sys-mirage-fw-int -> sys-vpn-tasket-> sys-mirage-fw-ext -> sys-net Benefit of mirage in this situation is that each one consumes only 32MB of RAM. B -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/07410923-e42e-4daa-8cbd-506eca9acc5b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VPN before sys-firewall ?
On 7/10/19 8:45 AM, Luc libaweb wrote: Le mardi 9 juillet 2019 23:22:23 UTC+2, Chris Laprise a écrit : On 7/9/19 4:49 PM, Luc libaweb wrote: Hello, I read lot of things about VPN in Qubes OS. I have mount a standalone VM with client VPN installed. This VPN VM connect to the network with sys-firewall. Others VM connect them directly on this VM VPN. So, AppVM connect to Netvm Standalone VM VPN connect to Netvm Sys-Firewall It's good or not for security ? Maybe the VM VPN bypass the sys-Firewall ? In practice, you won't see any difference between these configurations unless you have placed special rules _inside_ sys-firewall (in the /rw/config dir): sys-vpn -> sys-firewall -> sys-net sys-firewall -> sys-vpn -> sys-net sys-vpn -> sys-net The reason is that sys-vpn uses "provides network" and is thus a proxyVM just like sys-firewall; if you add firewall rules to your appVMs, they should be processed the same way in either sys-firewall or sys-vpn. As a result, sys-vpn can perform both vpn and firewall functions. If you consider sys-vpn's role to be trusted and low-risk, then the third example can accomplish the same thing as the first two while consuming less memory and CPU. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 Thanks, so, the default sys-firewall just block all ingoing traffic separatly. I think that it's better to place de sys-vpn after the sys-firewall because the configuration of the sys-vpn is just - install the client VPN and force autoconnection and autostart. If the client app VPN is compromised, it still exists the sys-firewall between at rest. Qubes OS implements its firewall rules in the next upstream VM which "provides network" (see qvm-prefs). So if you don't trust your VPN VM to manage your firewall rules, you'll need client VM --> sys-firewall-vpn --> sys-vpn --> sys-net If you additionally want firewall rules for sys-vpn (e.g. allowing only connections to your VPN provider) and don't trust your sys-net to manage them (because it manages your network devices already which run a lot of proprietary code?), you'll need client VM --> sys-firewall-vpn --> sys-vpn --> sys-firewall --> sys-net You'll also need the latter if you want other client VMs with clearnet connections and managed firewall via sys-firewall. It's also explained in [1], section "Network service qubes". I'd also recommend using disposable VMs with static names for these service VMs. [1] https://www.qubes-os.org/doc/firewall/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b58df159-3198-bc87-0be7-b33e980f1bb2%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature
Re: [qubes-users] VPN before sys-firewall ?
Le mardi 9 juillet 2019 23:22:23 UTC+2, Chris Laprise a écrit : > On 7/9/19 4:49 PM, Luc libaweb wrote: > > Hello, > > > > I read lot of things about VPN in Qubes OS. > > > > I have mount a standalone VM with client VPN installed. This VPN VM connect > > to the network with sys-firewall. > > > > Others VM connect them directly on this VM VPN. > > > > So, AppVM connect to Netvm Standalone VM VPN connect to Netvm Sys-Firewall > > > > It's good or not for security ? Maybe the VM VPN bypass the sys-Firewall ? > > > > In practice, you won't see any difference between these configurations > unless you have placed special rules _inside_ sys-firewall (in the > /rw/config dir): > > sys-vpn -> sys-firewall -> sys-net > > sys-firewall -> sys-vpn -> sys-net > > sys-vpn -> sys-net > > The reason is that sys-vpn uses "provides network" and is thus a proxyVM > just like sys-firewall; if you add firewall rules to your appVMs, they > should be processed the same way in either sys-firewall or sys-vpn. As a > result, sys-vpn can perform both vpn and firewall functions. If you > consider sys-vpn's role to be trusted and low-risk, then the third > example can accomplish the same thing as the first two while consuming > less memory and CPU. > > -- > > Chris Laprise, tas...@posteo.net > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 Thanks, so, the default sys-firewall just block all ingoing traffic separatly. I think that it's better to place de sys-vpn after the sys-firewall because the configuration of the sys-vpn is just - install the client VPN and force autoconnection and autostart. If the client app VPN is compromised, it still exists the sys-firewall between at rest. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fc407776-8a46-4312-8c92-458fd01900c8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VPN before sys-firewall ?
On 7/9/19 4:49 PM, Luc libaweb wrote: Hello, I read lot of things about VPN in Qubes OS. I have mount a standalone VM with client VPN installed. This VPN VM connect to the network with sys-firewall. Others VM connect them directly on this VM VPN. So, AppVM connect to Netvm Standalone VM VPN connect to Netvm Sys-Firewall It's good or not for security ? Maybe the VM VPN bypass the sys-Firewall ? In practice, you won't see any difference between these configurations unless you have placed special rules _inside_ sys-firewall (in the /rw/config dir): sys-vpn -> sys-firewall -> sys-net sys-firewall -> sys-vpn -> sys-net sys-vpn -> sys-net The reason is that sys-vpn uses "provides network" and is thus a proxyVM just like sys-firewall; if you add firewall rules to your appVMs, they should be processed the same way in either sys-firewall or sys-vpn. As a result, sys-vpn can perform both vpn and firewall functions. If you consider sys-vpn's role to be trusted and low-risk, then the third example can accomplish the same thing as the first two while consuming less memory and CPU. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f1080022-ac19-f1f4-65d2-2fd04f2b8fa6%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] VPN before sys-firewall ?
Hello, I read lot of things about VPN in Qubes OS. I have mount a standalone VM with client VPN installed. This VPN VM connect to the network with sys-firewall. Others VM connect them directly on this VM VPN. So, AppVM connect to Netvm Standalone VM VPN connect to Netvm Sys-Firewall It's good or not for security ? Maybe the VM VPN bypass the sys-Firewall ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/de18b1ff-59f3-4692-a30e-c2dd0941cfc9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
