On 2019-11-12 12:38, 'Jonas' via qubes-devel wrote:
I would like to enable opensnitch firewall on every VM by default.
what do you think about this???
To be frank, it may look pretty, but it would be a big waste of CPU and memory resources while providing absolutely no additional security.
- A firewall that runs inside the AppVM is easily circumvented by any application or process running in that VM, thus no real security.
- You already have a real and secure Firewall by default sitting in the sys-firewall VM, so why add an additional drain on your memory and CPU resources. Why not learn to use what you already have available?
- You already have the means to see what you AppVM's are connecting to if that is what you are after. You can simply run an app like etherape (wireshark, or tcpdump) in the sys-firewall VM and see everything being connected to all in one app. But that does degrade security model somewhat, because running any user level apps there is opening the attack surface a bit.
My suggestion is to learn the system you have first before adding all kinds of extra security compromising software/baggage that you don't really need.
On my setup this works very well. This should be default!!
-- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/8eb48307-eaad-1a67-87f4-4610100d79b1%40jhuapl.edu.
