-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, May 31, 2024 at 06:23:09PM -0000, qubist wrote: > On Thu, 30 May 2024 14:48:41 -0400 Demi Marie Obenour wrote: > > > Correct. > > Then: > > On Tue, 28 May 2024 16:49:51 -0400 Demi Marie Obenour wrote: > > > How do you plan to handle sys-net and VPN qubes? > > I can think of 2 options: > > 1. Stick with prerouting for those interfaces > > 2. Have some internal (in-qube) monitoring mechanism watching for new > interfaces and create chains based on such events. > > The problem with both options is that the firewall running inside > sys-net is just as reliable as sys-net being free from userspace > malware.
That's always the case. After all, your ingress rules are managed by userspace too. IMO static rules (the first option) is easier and more reliable (no need for that monitoring mechanism to keep working). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmZaPrsACgkQ24/THMrX 1yyJ8wgAg6pN3GfeqUYsXhnnflE/lNERsyo8DJ/6Y94OUZLFNZsQpFaM5vz0EAZn bbRsRE74qA7+1Q2+RRDyicgF0tK5Co1SHQ6FY4NjkNlk+eYBIv5+FKy/s8v34Pve tO+Pf3uIkELJKQrkAzHeatIw+FoqlmScVUWZ9s3e7Y+hruduj2iLP4CV3J6IiT15 TKkjxLUJMA+vDK9Q4pOiykSJAhHBfPQkDByJo7Hf9ZQvxd1T7cVwGrQYfdCa+fF5 F0NC1WGXJ1GG6qmx+Je81Cp0NYC+Dj/Prr82L04rDd9e3mIlCq42m/LKuU98OWF5 gvht3aTmWJ3hio8Ip3LbHfJ5+aKQow== =BNlh -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/Zlo-u9YsaJn348zs%40mail-itl.
