Update firewall.md - Network service qubes

This commit is contained in:
3hhh 2018-03-13 21:25:59 +01:00 committed by GitHub
parent d3eb5cf5d2
commit 54613766a5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -99,6 +99,21 @@ default Qubes installation):
` qvm-prefs sys-firewall -s netvm sys-net ` ` qvm-prefs sys-firewall -s netvm sys-net `
Network service qubes
--------------------------------------
Qubes does not support running any networking services (e.g. VPN, local DNS server, IPS, ...) directly in a qube that is used to run the Qubes firewall service (usually sys-firewall) and will never do so for good reasons. In particular if one wants to ensure proper functioning of the Qubes firewall one should not not tinker with iptables or nftables rules in such qubes.
Instead, one should deploy a network infrastructure such as
~~~
sys-net <--> sys-firewall-1 <--> network service qube <--> sys-firewall-2 <--> [client qubes]
~~~
Thereby sys-firewall-1 is only needed if one has client qubes connected there as well or wants to manage the traffic of the local network service qube. The sys-firewall-2 proxy ensures that:
1. Firewall changes done in the network service qube cannot render the Qubes firewall ineffective.
1. Changes to the Qubes firewall by the Qubes maintainers cannot lead to unwanted information leakage in combination with user rules deployed in the network service qube.
1. A compromise of the network service qube does not compromise the Qubes firewall.
For the VPN service please also have a look at the [VPN documentation](/doc/vpn).
Enabling networking between two qubes Enabling networking between two qubes
-------------------------------------- --------------------------------------