mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-26 15:59:24 -05:00
Change "/doc/qubes-firewall/" to "/doc/firewall/"
This commit is contained in:
parent
33bd4950f2
commit
2d07f7831c
@ -541,6 +541,6 @@ Usage: add this line to `/etc/apt/sources.list` on test machine (adjust host and
|
||||
deb http://local-test.lan/linux-deb/r3.1 jessie-unstable main
|
||||
~~~
|
||||
|
||||
[port-forwarding]: /doc/qubes-firewall/#port-forwarding-to-a-qube-from-the-outside-world
|
||||
[port-forwarding]: /doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world
|
||||
[linux-yum]: https://github.com/QubesOS/qubes-linux-yum
|
||||
[linux-deb]: https://github.com/QubesOS/qubes-linux-deb
|
||||
|
@ -99,7 +99,7 @@ As the template VM is used for creating filesystems for other AppVMs, where you
|
||||
|
||||
There are several ways to deal with this problem:
|
||||
|
||||
- Only install packages from trusted sources -- e.g. from the pre-configured Fedora repositories. All those packages are signed by Fedora, and as we expect that at least the package's installation scripts are not malicious. This is enforced by default (at the [firewall VM level](/doc/qubes-firewall/)), by not allowing any networking connectivity in the default template VM, except for access to the Fedora repos.
|
||||
- Only install packages from trusted sources -- e.g. from the pre-configured Fedora repositories. All those packages are signed by Fedora, and as we expect that at least the package's installation scripts are not malicious. This is enforced by default (at the [firewall VM level](/doc/firewall/)), by not allowing any networking connectivity in the default template VM, except for access to the Fedora repos.
|
||||
|
||||
- Use *standalone VMs* (see below) for installation of untrusted software packages.
|
||||
|
||||
@ -109,7 +109,7 @@ Some popular questions:
|
||||
|
||||
- So, why should we actually trust Fedora repos -- it also contains large amount of 3rd party software that might buggy, right?
|
||||
|
||||
As long as template's compromise is considered, it doesn't really matter whether /usr/bin/firefox is buggy and can be exploited, or not. What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run the /usr/bin/firefox and got infected from it, in case it was compromised. Also, some of your more trusted AppVMs, would have networking restrictions enforced by the [firewall VM](/doc/qubes-firewall/), and again they should not fear this proverbial /usr/bin/firefox being potentially buggy and easy to compromise.
|
||||
As long as template's compromise is considered, it doesn't really matter whether /usr/bin/firefox is buggy and can be exploited, or not. What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run the /usr/bin/firefox and got infected from it, in case it was compromised. Also, some of your more trusted AppVMs, would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial /usr/bin/firefox being potentially buggy and easy to compromise.
|
||||
|
||||
- But why trusting Fedora?
|
||||
|
||||
|
2
doc.md
2
doc.md
@ -101,7 +101,7 @@ Security Guides
|
||||
|
||||
* [Qubes OS Project Security Information](/security/)
|
||||
* [Security Guidelines](/doc/security-guidelines/)
|
||||
* [Understanding Qubes Firewall](/doc/qubes-firewall/)
|
||||
* [Understanding Qubes Firewall](/doc/firewall/)
|
||||
* [Understanding and Preventing Data Leaks](/doc/data-leaks/)
|
||||
* [Installing Anti Evil Maid](/doc/anti-evil-maid/)
|
||||
* [Using Multi-factor Authentication with Qubes](/doc/multifactor-authentication/)
|
||||
|
@ -58,7 +58,7 @@ As expected, the required packages are to be installed in the running template w
|
||||
Use case | Description | Required steps
|
||||
--- | --- | ---
|
||||
**Standard utilities** | If you need the commonly used utilities | Install the following packages: `pciutils` `vim-minimal` `less` `psmisc` `gnome-keyring`
|
||||
**FirewallVM** | You can use the minimal template as a [FirewallVM](/doc/qubes-firewall/), such as the basis template for `sys-firewall` | No extra packages are needed for the template to work as a firewall.
|
||||
**FirewallVM** | You can use the minimal template as a [FirewallVM](/doc/firewall/), such as the basis template for `sys-firewall` | No extra packages are needed for the template to work as a firewall.
|
||||
**NetVM** | You can use this template as the basis for a NetVM such as `sys-net` | Install the following packages: `NetworkManager` `NetworkManager-wifi` `network-manager-applet` `wireless-tools` `dbus-x11 dejavu-sans-fonts` `tinyproxy`.
|
||||
**NetVM (extra firmware)** | If your network devices need extra packages for the template to work as a network VM | Use the `lspci` command to identify the devices, then run `dnf search firmware` (replace `firmware` with the appropriate device identifier) to find the needed packages and then install them.
|
||||
**Network utilities** | If you need utilities for debugging and analyzing network connections | Install the following packages: `tcpdump` `telnet` `nmap` `nmap-ncat`
|
||||
|
@ -14,7 +14,7 @@ Understanding and Preventing Data Leaks
|
||||
The Role of the Firewall
|
||||
------------------------
|
||||
|
||||
**[Firewalling in Qubes](/doc/qubes-firewall/) is not intended to be a leak-prevention mechanism.**
|
||||
**[Firewalling in Qubes](/doc/firewall/) is not intended to be a leak-prevention mechanism.**
|
||||
|
||||
There are several reasons for this, which will be explained below. However, the main reason is that Qubes cannot prevent an attacker who has compromised one AppVM (with restrictive firewall rules) from leaking data via cooperative covert channels through a different AppVM (with sufficiently nonrestrictive firewall rules, if any) which the attacker has also compromised.
|
||||
|
||||
|
@ -1,9 +1,10 @@
|
||||
---
|
||||
layout: doc
|
||||
title: Qubes Firewall
|
||||
permalink: /doc/qubes-firewall/
|
||||
title: The Qubes Firewall
|
||||
permalink: /doc/firewall/
|
||||
redirect_from:
|
||||
- /en/doc/qubes-firewall/
|
||||
- /doc/firewall/
|
||||
- /en/doc/firewall/
|
||||
- /doc/QubesFirewall/
|
||||
- /wiki/QubesFirewall/
|
||||
---
|
Loading…
Reference in New Issue
Block a user