Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-12-28 00:39:30 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'unman-patch-1'

Browse Source
This commit is contained in:
Andrew David Wong 2019-03-09 15:55:30 -06:00
commit 6e598e4136
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
security/firewall.md
View File

@ -102,18 +102,20 @@ default Qubes installation):
Network service qubes Network service qubes
-------------------------------------- --------------------------------------
Qubes does not support running any networking services (e.g. VPN, local DNS server, IPS, ...) directly in a qube that is used to run the Qubes firewall service (usually sys-firewall) for good reasons. In particular if one wants to ensure proper functioning of the Qubes firewall one should not not tinker with iptables or nftables rules in such qubes. Qubes does not support running any networking services (e.g. VPN, local DNS server, IPS, ...) directly in a qube that is used to run the Qubes firewall service (usually sys-firewall) for good reasons.
In particular, if one wants to ensure proper functioning of the Qubes firewall, one should not tinker with iptables or nftables rules in such qubes.
Instead, one should deploy a network infrastructure such as Instead, one should deploy a network infrastructure such as
~~~ ~~~
sys-net <--> sys-firewall-1 <--> network service qube <--> sys-firewall-2 <--> [client qubes] sys-net <--> sys-firewall-1 <--> network service qube <--> sys-firewall-2 <--> [client qubes]
~~~ ~~~
Thereby sys-firewall-1 is only needed if one has client qubes connected there as well or wants to manage the traffic of the local network service qube. The sys-firewall-2 proxy ensures that: Thereby sys-firewall-1 is only needed if one has client qubes connected there as well or wants to manage the traffic of the local network service qube.
The sys-firewall-2 proxy ensures that:
1. Firewall changes done in the network service qube cannot render the Qubes firewall ineffective. 1. Firewall changes done in the network service qube cannot render the Qubes firewall ineffective.
1. Changes to the Qubes firewall by the Qubes maintainers cannot lead to unwanted information leakage in combination with user rules deployed in the network service qube. 2. Changes to the Qubes firewall by the Qubes maintainers cannot lead to unwanted information leakage in combination with user rules deployed in the network service qube.
1. A compromise of the network service qube does not compromise the Qubes firewall. 3. A compromise of the network service qube does not compromise the Qubes firewall.
For the VPN service please also have a look at the [VPN documentation](/doc/vpn). For the VPN service please also look at the [VPN documentation](/doc/vpn).
Enabling networking between two qubes Enabling networking between two qubes
-------------------------------------- --------------------------------------