On Wed, May 2, 2018 at 2:25 AM, Ivan Mitev <i...@maa.bz> wrote: > Hi, > > On 05/02/2018 01:10 AM, Franz wrote: > > Hello, > > > > is it possible to connect sys-usb to network? It seems impossible using > > Qubes manager on 3.2. > > IIRC a VM must be stopped before being able to tweak its NetVM ; did you > do so before trying to add a NetVM to your sys-usb VM in Qubes manager ? > Did you also try with command line (`qvm-prefs sys-usb -s netvm > sys-firewall`) ? > > Your command line works, but does not survives reboot. Also even restarting it every time, firework cannot be configured because the system still believe that sys-usb is NOT connected to network, even if it is. So it seems it is too much complicated.
> > Reason to do that is that sys-usb already has USB controller assigned and > > this is useful to use USB audio cards and play youtube music with decent > > quality. > > I have more or less the same setup, only that I play music from a local > NAS. > > > > Is this a security problem? I imagine it is not since sys-usb is already > > untrusted. It may even be possible to add a firewall rule to connect only > > to youtube. > > Having networking in sys-usb will of course increase your attack surface > (like "plug bad USB, VM is compromised, $HOME is uploaded to some remote > site") but indeed, proper firewalling would restrict which sites you're > able to connect to. > > The problem with youtube is that the ip addresses may be changing > frequently, so simply defining "youtube.com" in your firewall rules may > not work after some time (see issue #3641 [1]). Alternatively, find > youtube's (or google) BGP AS number and add all the networks to your fw > rules [2] ; but there will be quite a lot of them... > > > [1] https://github.com/QubesOS/qubes-issues/issues/3641 > [2] > https://stackoverflow.com/questions/9342782/is-there-a- > way-to-get-all-ip-addresses-of-youtube-to-block-it-with- > windows-firew#19385835 > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/qubes-users/01ec0d27-8403-cd26-437c-04b17fe1da6e%40maa.bz. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qAvCWhFgF_NcRWEh9vESrirDvk0TmY2B_%2BdrPTd4-7Usg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
