On Mon, Jul 26, 2021 at 08:09:52AM +0000, Michael Singer wrote: > On Thu, Jul 17, 2021 at 12:29PM +0700, unman wrote> On Thu, Jul 15, 2021 at > 06:07:59PM +0000, Michael Singer wrote: > >> On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: > >> > >>> On Wed, Jul 14, 2021 at 04:35:42PM +0000, Michael Singer wrote: > >> > >>>> > >>>> Would you let my Qube, which is supposed to connect to only one IP > >>>> address on > >>>> the internet, be based on an extra firewall-vm? Would that more secure? > >> > >>> You could do this: it would have one particular advantage, in that you > >>> could set custom rules in sys-net to restrict access from that > >>> sys-firewall to the specified IP address. > >> > >> Do you have an example of the command line commands you use to set such > >> custom rules in an ordinary debian or fedora sys-net? > > > > Qubes uses NAT, so sys-net sees all traffic coming from the IP address > > of sys-firewall. > > If you new fw has IP - 10.137.0.200 > > And target is 195.10.223.181 > > > > `nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr > > 195.10.223.181 tcp dport https accept` > > `nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop` > > > > Would do it. > > Adjust for your case, of course > > Many thanks, unman! This is well explained. Allow one more question: How > would you do the same if sys-net is based on a OpenBSD template? > > Best regards > Michael Singer >
openBSD in Qubes - Excellent! You would want something like: pass out on dc0 proto tcp from 10.137.0.200 to 195.10.223.181 port 443 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210730134003.GF19478%40thirdeyesecurity.org.
