On Thu, Jul 17, 2021 at 12:29PM +0700, unman wrote> On Thu, Jul 15, 2021 at 06:07:59PM +0000, Michael Singer wrote: >> On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: >> >>> On Wed, Jul 14, 2021 at 04:35:42PM +0000, Michael Singer wrote: >> >>>> >>>> Would you let my Qube, which is supposed to connect to only one IP address >>>> on >>>> the internet, be based on an extra firewall-vm? Would that more secure? >> >>> You could do this: it would have one particular advantage, in that you >>> could set custom rules in sys-net to restrict access from that >>> sys-firewall to the specified IP address. >> >> Do you have an example of the command line commands you use to set such >> custom rules in an ordinary debian or fedora sys-net? > > Qubes uses NAT, so sys-net sees all traffic coming from the IP address > of sys-firewall. > If you new fw has IP - 10.137.0.200 > And target is 195.10.223.181 > > `nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr > 195.10.223.181 tcp dport https accept` > `nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop` > > Would do it. > Adjust for your case, of course
Many thanks, unman! This is well explained. Allow one more question: How would you do the same if sys-net is based on a OpenBSD template? Best regards Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6dd537a2-854d-73fa-4d31-595a72638212%40posteo.de.