On 8/10/19 5:12 AM, 799 wrote:
Hello,
Jon deps <[email protected] <mailto:[email protected]>> schrieb am
Mi., 3. Juli 2019, 22:30:
am curious if anyone actually does this , and how or would it make
any sense instead to use a static sys-firewall , if I
just have the default sys-firewall (which might be easier because
there would not be a need for the PCI setup ?each time)
What would be the better choice regarding attack surface:
disposable netvm+firewallvm vs. mirage-firewall?
If I understand it right the mirage firewall has no/less option to be
compromised.
I am using the mirage fw and are only using a fedora-30-minimal based
sys-firewall to get dom0-updates, which can't be done via the mirage
firewall.
But I'll also change this firewall to a static disposable FW.
Question:
Afaik the problem when using a static disposable sys-net VM is, that I
need to enter my Wifi Credentials each time, as the VM will be unable to
remember them.
Is there any way tweaking this behaviour?
To get a similar result, adding Qubes-VM-hardening to your template
would sanitize sys-net on each boot while retaining your wifi connection
passwords. After installing, all you have to do is enable
'vm-boot-protect-root' Qubes service for the sys-net VM. By default, the
contents of /home are retained, but you can change that by also enabling
'vm-boot-tag-qhome' which sets up a quarantine on /home.
(You can also use it to do minor per-vm customizations at startup, which
allows more re-use of a template instead of having to make clones.)
The result isn't quite as secure as using a DispVM, because the Ext4
filesystem itself could (theoretically) be exploited. But I think it
raises the bar quite a bit.
https://github.com/tasket/Qubes-VM-hardening
--
Chris Laprise, [email protected]
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/5fc9440a-5d09-c043-26a5-6290befe7729%40posteo.net.
