I take a more whitelist/controlled approach with my multiple DVM. With 4.0 you can have multiple DVMs and have different DVMs for each domain(This can be changed in the "Advanced" tab in the AppVMs in 4.0). Very cool feature...
For example: I have a DVM setup for printing only, the firewall rules on that DVM are: Address: Printers wireless IP = 192.168.1.6 (fixed IP in my case) Service(or port): 515 (Canon) or 9100 (HP) or other ports might be needed including 631, 427. Research your printer for whats required... Protocol: TCP only For my email IMAP AppVM(In the email AppVM "Firewall" tab): 2 Rules- Address: 66.11.4.135 (imap.fastmail.com) Service(or port): 993 Protocol: TCP Address: 66.11.4.140 (smtp.fastmail.com) Service(or port): 465 Protocol: TCP (To be honest I use a different email provider so the IP and ports are different but you get the idea. This info as with my own is usually published on thesite or available by asking the network admin) My "Web Surfing" DVM has no firewall rules i.e. "Allow All" which I can also print from. This could be tightened up if needed... I have played with my VPN AppVM as follows(kinda kill switch?): Address: 168.1.75.17 (IP address to my VPN connection) Service(or port): 1194 Protocol: TCP You might have a AdminVM for your router, firewall or switch which could be: Address: 192.168.4.6 Service(or port): 31006 (I think there are +65000 ports available) Protocol: TCP My sys-firewall does not have any restrictions With this set up, I can: a) Assign the Print DVM to my Vault and Email AppVM, I think most important for email Appvm to prevent a malicious attachment from "calling home" when opened(Althoug it could go thru my printer?). b) Assign the web surfing DVM to my "untrusted" domain c) Have a restricted AppVM for Web GUI admin functions I just take a more strict approach and block ALL then whitelist when needed...for me this gives me what I need. Again open to feedback if this is wrong... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/12604ad6-67b4-42ec-90a0-8692337b61fa%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
