From 8bddb2331dfcf072801ebab2d03bd69b136f5aeb Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 1 Jan 2013 12:26:47 +0000 Subject: [PATCH] QubesFirewall changed Qubes firewall description improvements --- QubesFirewall.md | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/QubesFirewall.md b/QubesFirewall.md index 49c9d573..2348e3fc 100644 --- a/QubesFirewall.md +++ b/QubesFirewall.md @@ -4,22 +4,26 @@ title: QubesFirewall permalink: /wiki/QubesFirewall/ --- -Using Quebes Firewall -===================== - -How to edit rules ------------------ - -In order to edit rules for a given domain, select this domain in the Qubes Manager and press the "policeman's helmet" button. - -See the screenshot [​here](http://www.qubes-os.org/files/screenshots/release-1-beta-1/snapshot25.png). - -Note that if you specify a rule by DNS name it will be resolved to IP(s) *at the moment of applying the rules*, and not on the fly for each new connection. This means it will not work for serves using load balancing. More on this in the message quoted below. +Understanding Qubes networking and firewall +=========================================== Understanding firewalling in Qubes ---------------------------------- -For now, see this message: +Every AppVM in Qubes is connected to the network via a FirewallVM, which is used to enforce network-level policies. By default there is one default Firewall VM, but the user is free to create more, if needed. + +For more information, see the following: - [​https://groups.google.com/group/qubes-devel/browse\_thread/thread/9e231b0e14bf9d62](https://groups.google.com/group/qubes-devel/browse_thread/thread/9e231b0e14bf9d62) +- [​http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html](http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html) +How to edit rules +----------------- + +In order to edit rules for a given domain, select this domain in the Qubes Manager and press the "firewall" button: + +[Screenshot] + +Note that if you specify a rule by DNS name it will be resolved to IP(s) *at the moment of applying the rules*, and not on the fly for each new connection. This means it will not work for serves using load balancing. More on this in the message quoted below. + +Alternatively, one can use the `qvm-firewall` command from Dom0 to edit the firewall rules by hand: