January 22, 2020 12:21 PM, "unman" <[email protected]> wrote:
> On Wed, Jan 22, 2020 at 03:09:31AM +0000, Claudia wrote: > >> January 21, 2020 7:04 PM, "Dan Krol" <[email protected]> wrote: >> >> So to clarify: >> >> Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled. >> >> When you say "need it enabled", you're just referring again to "provides >> network", is that correct? >> >> And secondly: Do I understand correctly so long as any qube sits in between >> two other qubes in the >> networking chain, it automatically acts as a basic firewall? That's all that >> sys-firewall is? >> >> From what I understand, sys-firewall is special in that it dynamically >> changes firewall rules for >> different VMs. That's where the firewall rules in the VM Settings GUI and >> qvm-firewall are applied. >> If you just create a new blank VM in place of sys-firewall, you can set up >> static firewall rules, >> but it won't by default know how to do any of the dynamic / user-defined >> rule stuff. > > This isn't quite true - there's nothing special about sys-firewall. *Any* qube > which provides network (and has relevant packages installed) will > provide dynamic firewall. If you use the full templates it will work > automatically. Ohhhh, so that's what "provides network" means? Now it's starting to make sense. Thanks for clarifying. Is there anything special about any VMs, other than: dom0: obviously debian-10, fedora-30, whonix-{ws,gw}-15: install path is controlled by rpm, i.e. reinstalling the package would overwrite the templateVM image - unlike a user-created or cloned TemplateVM sys-net: provides network, assigned PCI network devices by default, clocksyncd service sys-usb: assigned USB controllers by default sys-firewall: provides network, netVM=sys-net (as opposed to the global default of sys-firewall or sys-whonix) sys-whonix: provides network, netVM=sys-firewall (as opposed to the global default of sys-whonix in some installations) So in other words, you could delete any of these, and then just make a new VM with the same template and the same VM settings, and it would function just like the original, without any modifications inside the VM itself? I've heard that recreating a broken sys-net for example is not that simple, so I assumed there was something special about the sys-* VMs (or at least sys-net). Is that not actually the case? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c3317508c056ed1da28cddac69d8ca63%40disroot.org.
