On Thu, Jul 17, 2021 at 12:29PM +0700, unman wrote> On Thu, Jul 15, 2021 at 
06:07:59PM +0000, Michael Singer wrote:
>> On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote:
>>> On Wed, Jul 14, 2021 at 04:35:42PM +0000, Michael Singer wrote:
>>>> Would you let my Qube, which is supposed to connect to only one IP address 
>>>> on
>>>> the internet, be based on an extra firewall-vm? Would that more secure?
>>> You could do this: it would have one particular advantage, in that you
>>> could set custom rules in sys-net to restrict access from that
>>> sys-firewall to the specified IP address.
>> Do you have an example of the command line commands you use to set such 
>> custom rules in an ordinary debian or fedora sys-net?
> Qubes uses NAT, so sys-net sees all traffic coming from the IP address
> of sys-firewall.
> If you new fw has IP -
> And target is
> `nft insert rule filter FORWARD index 1 ip saddr ip daddr 
> tcp dport https accept`
> `nft insert rule filter FORWARD index 2 ip saddr drop`
> Would do it.
> Adjust for your case, of course

Many thanks, unman! This is well explained. Allow one more question: How would 
you do the same if sys-net is based on a OpenBSD template?

Best regards
Michael Singer

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 

Reply via email to