qubes-doc/QubesFirewall.md

---
layout: wiki
title: QubesFirewall
permalink: /wiki/QubesFirewall/
---

Understanding Qubes networking and firewall
===========================================

Understanding firewalling in Qubes
----------------------------------

Every AppVM in Qubes is connected to the network via a FirewallVM, which is used to enforce network-level policies. By default there is one default Firewall VM, but the user is free to create more, if needed.

For more information, see the following:

-   [https://groups.google.com/group/qubes-devel/browse\_thread/thread/9e231b0e14bf9d62](https://groups.google.com/group/qubes-devel/browse_thread/thread/9e231b0e14bf9d62)
-   [http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html](http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html)

How to edit rules
-----------------

In order to edit rules for a given domain, select this domain in the Qubes Manager and press the "firewall" button:

[![No image "r2b1-manager-firewall.png" attached to QubesFirewall](/chrome/common/attachment.png "No image "r2b1-manager-firewall.png" attached to QubesFirewall")](/attachment/wiki/QubesFirewall/r2b1-manager-firewall.png)

Note that if you specify a rule by DNS name it will be resolved to IP(s) *at the moment of applying the rules*, and not on the fly for each new connection. This means it will not work for serves using load balancing. More on this in the message quoted below.

Alternatively, one can use the `qvm-firewall` command from Dom0 to edit the firewall rules by hand:
-												QubesFirewall changed

Initial version

											
										
										
											2011-04-15 03:59:12 -04:00
+								---
 								layout: wiki
 								title: QubesFirewall
 								permalink: /wiki/QubesFirewall/
 								---
-												QubesFirewall changed

Qubes firewall description improvements

											
										
										
											2013-01-01 07:26:47 -05:00
+								Understanding Qubes networking and firewall
 								===========================================
-												QubesFirewall changed

Initial version

											
										
										
											2011-04-15 03:59:12 -04:00
-												QubesFirewall changed

Qubes firewall description improvements

											
										
										
											2013-01-01 07:26:47 -05:00
+								Understanding firewalling in Qubes
 								----------------------------------
-												QubesFirewall changed

Initial version

											
										
										
											2011-04-15 03:59:12 -04:00
-												QubesFirewall changed

Qubes firewall description improvements

											
										
										
											2013-01-01 07:26:47 -05:00
+								Every AppVM in Qubes is connected to the network via a FirewallVM, which is used to enforce network-level policies. By default there is one default Firewall VM, but the user is free to create more, if needed.
-												QubesFirewall changed

Initial version

											
										
										
											2011-04-15 03:59:12 -04:00
-												QubesFirewall changed

Qubes firewall description improvements

											
										
										
											2013-01-01 07:26:47 -05:00
+								For more information, see the following:
-												QubesFirewall changed

Initial version

											
										
										
											2011-04-15 03:59:12 -04:00
-												QubesFirewall changed

Qubes firewall description improvements

											
										
										
											2013-01-01 07:26:47 -05:00
+								-   [https://groups.google.com/group/qubes-devel/browse\_thread/thread/9e231b0e14bf9d62](https://groups.google.com/group/qubes-devel/browse_thread/thread/9e231b0e14bf9d62)
 								-   [http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html](http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html)
-												QubesFirewall changed

Initial version

											
										
										
											2011-04-15 03:59:12 -04:00
-												QubesFirewall changed

Qubes firewall description improvements

											
										
										
											2013-01-01 07:26:47 -05:00
+								How to edit rules
 								-----------------
-												QubesFirewall changed

Initial version

											
										
										
											2011-04-15 03:59:12 -04:00
-												QubesFirewall changed

Qubes firewall description improvements

											
										
										
											2013-01-01 07:26:47 -05:00
+								In order to edit rules for a given domain, select this domain in the Qubes Manager and press the "firewall" button:
-												QubesFirewall changed

Initial version

											
										
										
											2011-04-15 03:59:12 -04:00
-												QubesFirewall changed

screenshot of qubes manager firewall

											
										
										
											2013-01-01 07:27:53 -05:00
+								[![No image "r2b1-manager-firewall.png" attached to QubesFirewall](/chrome/common/attachment.png "No image "r2b1-manager-firewall.png" attached to QubesFirewall")](/attachment/wiki/QubesFirewall/r2b1-manager-firewall.png)
-												QubesFirewall changed

Qubes firewall description improvements

											
										
										
											2013-01-01 07:26:47 -05:00
 								Note that if you specify a rule by DNS name it will be resolved to IP(s) *at the moment of applying the rules*, and not on the fly for each new connection. This means it will not work for serves using load balancing. More on this in the message quoted below.
-												QubesFirewall changed

Initial version

											
										
										
											2011-04-15 03:59:12 -04:00
-												QubesFirewall changed

Qubes firewall description improvements

											
										
										
											2013-01-01 07:26:47 -05:00
+								Alternatively, one can use the `qvm-firewall` command from Dom0 to edit the firewall rules by hand: