On Saturday, 22 August 2020 at 18:57:22 UTC+8 Frank Schäckermann wrote: > I am not sure what you mean with „behind a vpn vm“. > > My setup is such that I have the sys-net VM which is used as network vm in > sys-firewall and a few sys-vpn-xxx. sys-firewall in turn is used as network > vm for all app VMs that connect directly to the internet and the > sys-vpn-xxx VMs are used by various VMs that connect through the various > VPNs. There is no need for extra proxy or firewall VMs, since the > sys-vpn-xxx can themselves double as firewall VMs, since they are proxy VMs > already. Therefore any rules specified in any of the app VMs (no matter if > directly connected through sys-firewall or indirectly through a vpn) are > taken care of by the network vm they are connected to. And I have never had > a problem with this setup. At least none, that I am aware of. ;-) >
Thank you for your time, Frank. Right now my setup is as follows: *Internet -- sys-net (disp) -- sys-firewall-1 (disp) -- sys-vpn (disp) -- sys-firewall-2 (disp) -- appVMs* I chose to separate sys-vpn and sys-firewall-2 despite knowing that sys-vpn can also act as a firewall. This is because I want to have another layer of isolation, so that a compromised sys-vpn wouldn't bring down the firewall that filters the contents of the VPN connection. Is this setup causing issues for the upstream firewalls? If so, why would it be, since the number of downstream firewalls are the same in both our setups. Also don’t forget, that a proxy vm set as network vm for your sys-vpn, will > never see anything other than the sys-vpn connecting to your vpn provider’s > server. Therefore any rules specified in your sys-vpn are pretty much > useless. > The way I understand how firewalls works in Qubes is that the firewall executes rules for upstream VMs, so using my setup as an example, firewall-1 takes orders from sys-vpn, while firewall-2 takes orders from the appVMs. Firewall-1 is therefore important for stopping unwanted inbound connections from reaching sys-vpn and also acts as a final gatekeeper against unwanted outbound leaks. Having only one whitelist rule for the VPN set in sys-vpn, which itself doesn't have qubes-firewall.service started by default (I checked) makes it so that only the VPN connection can go past firewall-1 (assuming the firewall is functioning), so it's not useless. *Tl;dr *FW-1 restricts connection to VPN only, FW-2 filters connections from the VPN, sys-VPN doesn't start qubes-firewall.service (at least with debian-10-minimal), even though it technically should. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fbbb7d87-30d3-4176-9e3a-29f609823de9n%40googlegroups.com.
