qusal/salt/sys-firewall/README.md

# sys-firewall

Firewall in Qubes OS.

## Table of Contents

*   [Description](#description)
*   [Installation](#installation)
*   [Usage](#usage)

## Description

Creates firewall qube, an App qube "sys-firewall" and a Disposable qube
"disp-sys-firewall". By default, "disp-sys-firewall" will be the "updatevm",
the "clockvm" and the "default_netvm".

If you want an easy to configure firewall with ad blocking, checkout
sys-pihole instead.

## Installation

Before installation, rename your current `sys-firewall` to another name such
as `sys-firewall-old`, the old qube will be used to install packages required
for the minimal template. After successful installation and testing the new
net qube capabilities, you can remove the old one. If you want the default net
qube back, just set `sys-firewall` template to the full template you are
using, such as Debian or Fedora. Before starting, turn on `sys-firewall-old`
or yours `default_netvm` and check if DNS is working, after that, proceed with
the installation.

*   Top:

```sh
sudo qubesctl top.enable sys-firewall
sudo qubesctl --targets=tpl-sys-firewall state.apply
sudo qubesctl top.disable sys-firewall
sudo qubesctl state.apply sys-firewall.prefs-disp
```

*   State:

<!-- pkg:begin:post-install -->

```sh
sudo qubesctl state.apply sys-firewall.create
sudo qubesctl --skip-dom0 --targets=tpl-sys-firewall state.apply sys-firewall.install
sudo qubesctl state.apply sys-firewall.prefs-disp
```

<!-- pkg:end:post-install -->

Alternatively, if you prefer to have an app qube as the firewall:

```sh
sudo qubesctl state.apply sys-firewall.prefs
```

## Usage

You should use this qube for handling updates and firewall downstream/client
qubes, in other words, enforce network policy to qubes that have
`sys-firewall` as its `netvm`. Read [upstream firewall
documentation](https://www.qubes-os.org/doc/firewall/).
refactor: initial commit 2023-11-13 09:33:28 -05:00			`# sys-firewall`

			`Firewall in Qubes OS.`

			`## Table of Contents`

doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00			`* [Description](#description)`
			`* [Installation](#installation)`
			`* [Usage](#usage)`
refactor: initial commit 2023-11-13 09:33:28 -05:00
			`## Description`

			`Creates firewall qube, an App qube "sys-firewall" and a Disposable qube`
feat: default to disposable netvm - Default sys-net and sys-firewall to disposable; - Set global and per vm preferences by starting the qubes or shutting down them when necessary; and - Less manual steps remaining for the user: just rename the net qube, as it can only be done via Qubes Manager. 2024-01-04 15:59:15 -05:00			`"disp-sys-firewall". By default, "disp-sys-firewall" will be the "updatevm",`
			`the "clockvm" and the "default_netvm".`
refactor: initial commit 2023-11-13 09:33:28 -05:00
			`If you want an easy to configure firewall with ad blocking, checkout`
			`sys-pihole instead.`

			`## Installation`

feat: default to disposable netvm - Default sys-net and sys-firewall to disposable; - Set global and per vm preferences by starting the qubes or shutting down them when necessary; and - Less manual steps remaining for the user: just rename the net qube, as it can only be done via Qubes Manager. 2024-01-04 15:59:15 -05:00			Before installation, rename your current `sys-firewall` to another name such
			as `sys-firewall-old`, the old qube will be used to install packages required
			`for the minimal template. After successful installation and testing the new`
			`net qube capabilities, you can remove the old one. If you want the default net`
			qube back, just set `sys-firewall` template to the full template you are
			using, such as Debian or Fedora. Before starting, turn on `sys-firewall-old`
			or yours `default_netvm` and check if DNS is working, after that, proceed with
			`the installation.`

doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00			`* Top:`

refactor: initial commit 2023-11-13 09:33:28 -05:00			```sh
doc: prefix qubesctl with sudo Fixes: https://github.com/ben-grande/qusal/issues/20 2024-02-23 10:54:35 -05:00			`sudo qubesctl top.enable sys-firewall`
			`sudo qubesctl --targets=tpl-sys-firewall state.apply`
			`sudo qubesctl top.disable sys-firewall`
			`sudo qubesctl state.apply sys-firewall.prefs-disp`
refactor: initial commit 2023-11-13 09:33:28 -05:00			```

doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00			`* State:`

refactor: initial commit 2023-11-13 09:33:28 -05:00			`<!-- pkg:begin:post-install -->`
doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00
refactor: initial commit 2023-11-13 09:33:28 -05:00			```sh
doc: prefix qubesctl with sudo Fixes: https://github.com/ben-grande/qusal/issues/20 2024-02-23 10:54:35 -05:00			`sudo qubesctl state.apply sys-firewall.create`
			`sudo qubesctl --skip-dom0 --targets=tpl-sys-firewall state.apply sys-firewall.install`
			`sudo qubesctl state.apply sys-firewall.prefs-disp`
refactor: initial commit 2023-11-13 09:33:28 -05:00			```
doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00
refactor: initial commit 2023-11-13 09:33:28 -05:00			`<!-- pkg:end:post-install -->`

feat: default to disposable netvm - Default sys-net and sys-firewall to disposable; - Set global and per vm preferences by starting the qubes or shutting down them when necessary; and - Less manual steps remaining for the user: just rename the net qube, as it can only be done via Qubes Manager. 2024-01-04 15:59:15 -05:00			`Alternatively, if you prefer to have an app qube as the firewall:`
doc: lint markdown files Only way to have a unified markdown syntax is to enforce the wanted syntax by linting the files. Don't rely on the many markdown syntaxes, be consistent. 2024-07-04 11:10:11 -04:00
refactor: initial commit 2023-11-13 09:33:28 -05:00			```sh
doc: prefix qubesctl with sudo Fixes: https://github.com/ben-grande/qusal/issues/20 2024-02-23 10:54:35 -05:00			`sudo qubesctl state.apply sys-firewall.prefs`
refactor: initial commit 2023-11-13 09:33:28 -05:00			```

			`## Usage`

			`You should use this qube for handling updates and firewall downstream/client`
			`qubes, in other words, enforce network policy to qubes that have`
			`sys-firewall` as its `netvm`. Read [upstream firewall
			`documentation](https://www.qubes-os.org/doc/firewall/).`