This VM controls the traffic for AppVMs and can be used to restrict what AppVMs can send or receive.
The traffic rules can be setup using the filtering rules GUI in Qubes VM manager.
The manager translates user-defined setup into iptables rules for the firewall VM's kernel.
The primary goal of the filtering rule setup in the firewall VM is to allow for the user to protect either from his own mistakes (like accessing an arbitrary website from a browser running in a banking VM) or from the mistakes of websites (like a banking website that loads JS code from a social network operator when the user logs into the bank).
As the rules in the firewall are IP-based, it has drawbacks.
First, the rules cannot be used if one has to use an HTTP proxy to connect to websites (a common setup on corporate networks).
Second, Qubes resolves DNS names from the firewall rules when the AppVM loads.
This prevents websites that use DNS-based load balancers from working unless the user reloads the firewall rules (which re-resolve the DNS names) whenever the balancer transfers her session to another IP.
Third, the initial setup of the rules is complicated as the firewall drops the connection silently.
As a workaround, one can use a browser's network console to see what is blocked, but this is time-consuming and one can easily miss some important cases like including sites for OCSP SSL certificate verification in the firewall white-list.
These drawbacks can be mitigated if one replaces iptable-based rules with a filtering HTTP proxy.
Tinyproxy has relatively simple code and a reasonable track record to allow to certain level of trust, but one cannot exclude bugs especially in the case of hostile proxy clients as this is a less tested scenario.
It is not advisable to use the proxy in a shared firewall VM against untrusted AppVMs to black-list some unwanted connections such as advertisement sites.
Still, for maximum safety, one should consider running a separate ProxyVM for each important AppVM.
In Qubes R4.0, one no longer creates ProxyVMs as such. However, the same is accomplished by choosing the `provides network` checkbox when creating an AppVM that will be used as a proxy.
As a counterpoint to this warning, it is important to note that an HTTP proxy decreases the attack surface of AppVMs.
For example, with a proxy the AppVM does not need to make direct DNS connections, so a bug in the kernel or in the browser in that area would not affect the AppVM.
Also, browsers typically avoid many of the latest and greatest HTTP features when connecting through proxies, minimizing exposure of new and unproven networking code.
1. After reading through the Warning section above, determine if you want to proceed with the following steps in either your default `sys-firewall` VM or in a newly created proxy VM.
If you decide to create a separate proxy VM,
* In R4.0, create a new AppVM with the `provides network` checkbox set.
* In R3.2, create a new ProxyVM.
Then, proceed with the following.
2. Copy this [archive] with the proxy control script, default tinyproxy config, and a sample filtering file into the proxy VM and unpack it in the `/rw/config` folder there as root:
The included config file refuses the connection unless the host is white-listed in the filtering file, so this can be altered if one prefers to black-list connections.
The attached archive includes a `social.10.137.2.13` file with rules for an AppVM allowing connections to Google, Facebook, Linkedin, Livejournal, Youtube, and few other other sites.
When editing the rules, remember to include a `$` at the end of the host name, and to prefix each dot in the host name with a backslash (like `\.`).
This way, the pattern matches the whole host and not just a prefix, and the dot is not interpreted as an instruction to match an arbitrary character according to regular expression syntax.
The update command starts proxy processes and adjusts the iptable rules to allow for proxy traffic for each running AppVM from the filtering files list.
The browser should either load it (if it was white-listed in the filtering file), or show a page generated by tinyproxy that the page was filtered out.
8. To make sure that the proxy is started automatically when the AppVM starts, change `/rw/config/qubes-firewall-user-script` to include the following line:
9. In Qubes VM manager, adjust the Firewall rules for each AppVM using a proxy.
In a typical case, when only the HTTP proxy should be permitted for outside connections:
* In R4.0, select "Limit outgoing Internet connections to..." and make sure the address list is empty.
* In R3.2, select "Deny network access except...", make sure the address list is empty, and then unselect the "Allow ICMP," "DNS", and "Update proxy" checkboxes.
