On Sat, Jan 19, 2019 at 07:55:17PM -0600, Andrew David Wong wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 19/12/2018 6.37 PM, unman wrote: > > On Wed, Dec 19, 2018 at 11:06:25PM +0000, mossy wrote: > >> Hello all, > >> > >> I was looking to see if I could update an offline standalone VM, by > >> appending a line to `etc/qubes-rpc/policy/qubes.UpdatesProxy` and I now > >> have some questions. > >> > >> First, I noticed the lines: > >> > >> ~~~ > >> # Default rule for all TemplateVMs - direct the connection to sys-net > >> $type:TemplateVM $default allow,target=sys-net > >> ~~~ > >> > >> Q1) Is this correct? Shouldn't updates be directed to sys-firewall > >> instead of sys-net? Are all of our templates exposed to (untrusted) > >> sys-net? > >> > >> Hopefully I am wrong about this, but either way I'd appreciate if > >> someone could explain... > >> [...] > > > > Q1. Yes, the default is to use sys-net. You can change this if you wish. > > (I do) > > The update proxy has always been set to sys-net by default. > > The proxy used to filter traffic, but no longer does so. Again, I change > > this behaviour. > > [...] > > What do you change it to? sys-firewall? > > Why do you change it? Do you see some security risk with using sys-net? > If so, should we file a bug report to have this changed by default? >
I use a caching proxy (apt-cacher-ng) for all updates. (I also dont allow outbound traffic from sys-net or sys-firewall, but that's another story.) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190121004420.mwspf2kz2akymdxq%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
