On Tue, Mar 17, 2020 at 08:03:51AM -0700, [email protected] wrote: > Qubes is the only well-maintained type-1 client hypervisor that exists as > far as I know. I tried XenClient earlier in the decade, and it was an > awesome product in my opinion. However, it ceased development. > > I think my use-case could be accomplished via iptables rules, but as I > mentioned, I've never been very good with those rules and don't use it > enough to have become proficient. This page is a good starting point and > specifically mentions my use-case: > https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes > > However, rules have to be added to sys-firewall *and* each VM on a per-IP > basis. I would think there is a way to add a rule to sys-firewall that > would open networking between all VMs by using CIDR blocks. Yes? No? > > For those still concerned with security, it would always be possible to > have two sys-firewall VMs: one to provide the default isolation and one to > allow networking between systems. That would be a great setup, but I just > don't know how to do it. > > On Monday, March 16, 2020 at 11:31:17 PM UTC-5, Sven Semmler wrote: > > > > On Mon, Mar 16, 2020 at 09:16:40PM -0700, [email protected] > > <javascript:> wrote: > > > Interesting. It seems a little dated, though. Have you ever used it? > > > > > > On Monday, March 16, 2020 at 11:10:22 PM UTC-5, Sven Semmler wrote: > > > > This looks like what you want: > > > > https://github.com/Rudd-O/qubes-network-server > > > > (last updated in Nov 2018) > > > > Nope. I don't have your use case. I wonder if plain vanilla hypervisors > > wouldn't be a better fit for you. > > > > /Sven > >
The convention here is not to top-post. Please scroll to the bottom of the message before you start typing. Or reply inline. It only takes you seconds, makes it much easier to follow threads, and cumulatively saves your fellow users hours. In *full* knowledge of what you are doing you probably only need to add 1 rule at the sys-firewall level in the FORWARD chain: iifname "vif*" oifname "vif*" accept You will still need to add incoming allow rules in INPUT chain per qube, depending on what service they offer. Not a huge issue. The idea of having multiple sys firewalls is easy to implement, depending on how you want it to work. Give some more detail on exactly what you want. (Clearly stating the aim is the first step toward solution.) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200317155734.GC29569%40thirdeyesecurity.org.
