Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-01-13 16:29:59 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '3hhh-patch-1'

Browse Source
This commit is contained in:
Andrew David Wong 2018-03-19 19:47:09 -05:00
commit 90c58a11fc
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
security/firewall.md
View File

@ -99,6 +99,21 @@ default Qubes installation):
` qvm-prefs sys-firewall -s netvm sys-net ` ` qvm-prefs sys-firewall -s netvm sys-net `
Network service qubes
--------------------------------------
Qubes does not support running any networking services (e.g. VPN, local DNS server, IPS, ...) directly in a qube that is used to run the Qubes firewall service (usually sys-firewall) for good reasons. In particular if one wants to ensure proper functioning of the Qubes firewall one should not not tinker with iptables or nftables rules in such qubes.
Instead, one should deploy a network infrastructure such as
~~~
sys-net <--> sys-firewall-1 <--> network service qube <--> sys-firewall-2 <--> [client qubes]
~~~
Thereby sys-firewall-1 is only needed if one has client qubes connected there as well or wants to manage the traffic of the local network service qube. The sys-firewall-2 proxy ensures that:
1. Firewall changes done in the network service qube cannot render the Qubes firewall ineffective.
1. Changes to the Qubes firewall by the Qubes maintainers cannot lead to unwanted information leakage in combination with user rules deployed in the network service qube.
1. A compromise of the network service qube does not compromise the Qubes firewall.
For the VPN service please also have a look at the [VPN documentation](/doc/vpn).
Enabling networking between two qubes Enabling networking between two qubes
-------------------------------------- --------------------------------------