Re: [qubes-users] using static dispVM for sys-net
On 8/10/19 5:12 AM, 799 wrote: Hello, Jon deps mailto:yreb...@riseup.net>> schrieb am Mi., 3. Juli 2019, 22:30: am curious if anyone actually does this , and how or would it make any sense instead to use a static sys-firewall , if I just have the default sys-firewall (which might be easier because there would not be a need for the PCI setup ?each time) What would be the better choice regarding attack surface: disposable netvm+firewallvm vs. mirage-firewall? If I understand it right the mirage firewall has no/less option to be compromised. I am using the mirage fw and are only using a fedora-30-minimal based sys-firewall to get dom0-updates, which can't be done via the mirage firewall. But I'll also change this firewall to a static disposable FW. Question: Afaik the problem when using a static disposable sys-net VM is, that I need to enter my Wifi Credentials each time, as the VM will be unable to remember them. Is there any way tweaking this behaviour? To get a similar result, adding Qubes-VM-hardening to your template would sanitize sys-net on each boot while retaining your wifi connection passwords. After installing, all you have to do is enable 'vm-boot-protect-root' Qubes service for the sys-net VM. By default, the contents of /home are retained, but you can change that by also enabling 'vm-boot-tag-qhome' which sets up a quarantine on /home. (You can also use it to do minor per-vm customizations at startup, which allows more re-use of a template instead of having to make clones.) The result isn't quite as secure as using a DispVM, because the Ext4 filesystem itself could (theoretically) be exploited. But I think it raises the bar quite a bit. https://github.com/tasket/Qubes-VM-hardening -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5fc9440a-5d09-c043-26a5-6290befe7729%40posteo.net.
Re: [qubes-users] using static dispVM for sys-net
799: > What would be the better choice regarding attack surface: > disposable netvm+firewallvm vs. mirage-firewall? You still need a netvm with Mirage, but smallest attack surface alone is disposable netvm + Mirage. "Disposable" doesn't increase or decrease attack surface, though. It helps against persistence- if something managed to compromise sys-net's rw area, it would be gone next reboot. > If I understand it right the mirage firewall has no/less option to be > compromised. > I am using the mirage fw and are only using a fedora-30-minimal based > sys-firewall to get dom0-updates, which can't be done via the mirage > firewall. > > But I'll also change this firewall to a static disposable FW. If you're using Mirage for a firewall, you don't need that fedora-30 sys-firewall inline any more. That might be what you have already done. You could create a sys-update and place it anywhere behind Mirage firewall. > Question: > Afaik the problem when using a static disposable sys-net VM is, that I need > to enter my Wifi Credentials each time, as the VM will be unable to > remember them. > Is there any way tweaking this behaviour? Put them in the custom DVM template you base the disposable sys-net from: https://www.mail-archive.com/qubes-users@googlegroups.com/msg26895.html. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/00b5f68c-28ff-1fca-df84-7047fa7a0c42%40danwin1210.me.
Re: [qubes-users] using static dispVM for sys-net
Hello, Jon deps schrieb am Mi., 3. Juli 2019, 22:30: > am curious if anyone actually does this , and how or would it make any > sense instead to use a static sys-firewall , if I > just have the default sys-firewall (which might be easier because > there would not be a need for the PCI setup ?each time) What would be the better choice regarding attack surface: disposable netvm+firewallvm vs. mirage-firewall? If I understand it right the mirage firewall has no/less option to be compromised. I am using the mirage fw and are only using a fedora-30-minimal based sys-firewall to get dom0-updates, which can't be done via the mirage firewall. But I'll also change this firewall to a static disposable FW. Question: Afaik the problem when using a static disposable sys-net VM is, that I need to enter my Wifi Credentials each time, as the VM will be unable to remember them. Is there any way tweaking this behaviour? 799 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vs1V9%2BwrF0frShC1_aaODcORDzFc9LQscx6Yzn-G79tg%40mail.gmail.com.
Re: [qubes-users] using static dispVM for sys-net
Jon deps: > https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys- > > > > I can't really understand what the differences would be with a static > dispvm (based on a dispvm-template) vs just a regular sys-net > > if nothing is disposed (static) isn't it just the same > "Static" there refers to the name and VM configuration, not the contents. You only have to set them up once, not every time. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/58389039-296c-42ef-9dce-11d6e0ba059d%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
[qubes-users] using static dispVM for sys-net
am curious if anyone actually does this , and how or would it make any sense instead to use a static sys-firewall , if I just have the default sys-firewall (which might be easier because there would not be a need for the PCI setup ?each time) https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys- I can't really understand what the differences would be with a static dispvm (based on a dispvm-template) vs just a regular sys-net if nothing is disposed (static) isn't it just the same -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a18a7bec-e905-4fb6-e4fa-75810f52709d%40riseup.net. For more options, visit https://groups.google.com/d/optout.