-----BEGIN PGP SIGNED MESSAGE-----
On 2016-09-20 10:16, mittend...@digitrace.de wrote:
> Firewall rules are set for a specific VM/Qube. From common understanding
> people would probably think that those rules are active no matter what
> happens outside of that very VM/Qube, but in fact it seems like those rules
> are active if and only if there is an ProxyVM connected to that VM/Qube.
> 1) I can configure firewall rules for a ProxyVM, but they are not actived, if
> that ProxyVM is connected to a NetVM (if I connect another ProxyVM in
> between, this might probably work?!)
Correct. Normally, it wouldn't make sense to try to enforce
firewall rules for a FirewallVM. That's why the default
sys-firewall and sys-net work the way they do. However,
if you have a need for this, you're free to create your own
FirewallVMs and chain them together.
> 2) I can configure firewall rules for a AppVM, which will not be active if
> that VM is connected
Assuming you meant "unconnected," that's right. The reasoning
here is that the purpose of firewall rules is to govern network
traffic. But if a VM has no NetVM (i.e., has no network access
at all), then there's no network traffic to govern.
> And: What happens if a ProxyVM does not implement the firewall service, or if
> the firewall service crashes in the ProxyVM ?
> I cannot find more information about the firewall mechanism than "centrally
> managed in Dom0 and exposed to each Proxy VM through Xen store" from
Take a look at these pages:
> a) A warning if an AppVM is (about to be) connected to a NetVM (instead of a
> b) Do not allow "firewall rules" being set for ProxyVMs (I think Proxy-Chains
> are rather unlikely being used?!)
> c) A warning about DNS-Names in firewall rules
> [c) A warning if a connected ProxyVM does not activate the firewall rules]
Thanks! This general suggestion has previously been made
and is currently being tracked here:
Andrew David Wong (Axon)
Community Manager, Qubes OS
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.