Firewall rules are set for a specific VM/Qube. From common understanding people would probably think that those rules are active no matter what happens outside of that very VM/Qube, but in fact it seems like those rules are active if and only if there is an ProxyVM connected to that VM/Qube.


1) I can configure firewall rules for a ProxyVM, but they are not actived, if that ProxyVM is connected to a NetVM (if I connect another ProxyVM in between, this might probably work?!)

2) I can configure firewall rules for a AppVM, which will not be active if that VM is connected

And: What happens if a ProxyVM does not implement the firewall service, or if the firewall service crashes in the ProxyVM ? I cannot find more information about the firewall mechanism than "centrally managed in Dom0 and exposed to each Proxy VM through Xen store" from http://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html

a) A warning if an AppVM is (about to be) connected to a NetVM (instead of a ProxyVM).

b) Do not allow "firewall rules" being set for ProxyVMs (I think Proxy-Chains are rather unlikely being used?!)

c) A warning about DNS-Names in firewall rules

[c) A warning if a connected ProxyVM does not activate the firewall rules]

thank you,

Robert Mittendorf

M. Sc. Informatik Robert Mittendorf

DigiTrace GmbH - Kompetenz in IT-Forensik
Geschäftsführer: Alexander Sigel, Martin Wundram
Registergericht Köln, HR B 72919
USt-IdNr: DE278529699

Zollstockgürtel 59, 50969 Köln
Telefon: 0221-6 77 86 95-2
Website: www.DigiTrace.de
E-Mail: i...@digitrace.de

Haben Sie schon den DigiTrace-Newsletter abonniert?

DigiTrace ist Partner der Allianz für Cyber-Sicherheit
sowie Mitglied im nrw.units Netzwerk für IT-Sicherheit:

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to