On Thu, Jul 15, 2021 at 06:07:59PM +0000, Michael Singer wrote: > On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: > > > On Wed, Jul 14, 2021 at 04:35:42PM +0000, Michael Singer wrote: > > >> > >> Would you let my Qube, which is supposed to connect to only one IP address > >> on > >> the internet, be based on an extra firewall-vm? Would that more secure? > > > You could do this: it would have one particular advantage, in that you > > could set custom rules in sys-net to restrict access from that > > sys-firewall to the specified IP address. > > Do you have an example of the command line commands you use to set such > custom rules in an ordinary debian or fedora sys-net?
Qubes uses NAT, so sys-net sees all traffic coming from the IP address of sys-firewall. If you new fw has IP - 10.137.0.200 And target is 195.10.223.181 `nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr 195.10.223.181 tcp dport https accept` `nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop` Would do it. Adjust for your case, of course > > >> In the Qube settings for the services there is the service > >> "disable-default-route". I have not found anything about what it does. In > >> my > >> case, would it be better to leave it on or turn it off? > > > man qvm-service - this service will remove the default gateway entry. So > > a qube would be able to access immediate neighbours but not step beyond. > > It's not what you want here. > > What are the immediate neighbors of a qube? Qubes that are connected - the netvm, or a qube for which *this* is the netvm. > > Can both a qube using the default route and a qube with the > disable-default-route service turned on access its immediate neighbors, or > only a qube with the disable-default-route service turned on? You can always access immediate neighbours, but will have to adjust the default firewall rules. Look at https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes > > In what situation is it useful for a qube to be able to access its immediate > neighbors? Explained on that page: most useful is file exchange with no Qubes tools installed, but also for testing network code, new pgp or ssh keys, etc. > > All the best > Michael > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210717102948.GG419%40thirdeyesecurity.org.
