2023-11-13 14:33:28 +00:00
|
|
|
# sys-net
|
|
|
|
|
2024-01-04 17:25:16 +01:00
|
|
|
PCI handler of network devices in Qubes OS.
|
2023-11-13 14:33:28 +00:00
|
|
|
|
|
|
|
## Table of Contents
|
|
|
|
|
2024-07-04 17:10:11 +02:00
|
|
|
* [Description](#description)
|
|
|
|
* [Installation](#installation)
|
|
|
|
* [Access control](#access-control)
|
|
|
|
* [Usage](#usage)
|
2023-11-13 14:33:28 +00:00
|
|
|
|
|
|
|
## Description
|
|
|
|
|
|
|
|
Creates and configure qubes for handling the network devices. Qubes OS
|
|
|
|
provides the state "qvm.sys-net", but it will create only "sys-net", which can
|
|
|
|
be a disposable or not. This package takes a different approach, it will
|
|
|
|
create an AppVM "sys-net" and a DispVM "disp-sys-net".
|
|
|
|
|
2024-01-04 21:59:15 +01:00
|
|
|
By default, the chosen one is "disp-sys-net", but you can choose which qube
|
|
|
|
type becomes the upstream net qube "default_netvm" and the fallback target for
|
|
|
|
the "qubes.UpdatesProxy" service in case no rule matched before.
|
2023-11-13 14:33:28 +00:00
|
|
|
|
|
|
|
## Installation
|
|
|
|
|
|
|
|
Before installation, rename your current `sys-net` to another name such as
|
2024-01-04 21:59:15 +01:00
|
|
|
`sys-net-old`, the old qube will be used to install packages required for the
|
|
|
|
minimal template. After successful installation and testing the new net qube
|
2023-11-13 14:33:28 +00:00
|
|
|
capabilities, you can remove the old one. If you want the default net qube
|
|
|
|
back, just set `sys-net` template to the full template you are using, such as
|
2024-01-04 21:59:15 +01:00
|
|
|
Debian or Fedora. Before starting, turn on the `default_netvm` and check if
|
|
|
|
DNS is working, after that, proceed with the installation.
|
2023-11-13 14:33:28 +00:00
|
|
|
|
2024-07-04 17:10:11 +02:00
|
|
|
* Top:
|
|
|
|
|
2023-11-13 14:33:28 +00:00
|
|
|
```sh
|
2024-02-23 16:54:35 +01:00
|
|
|
sudo qubesctl top.enable sys-net
|
|
|
|
sudo qubesctl --targets=tpl-sys-net state.apply
|
|
|
|
sudo qubesctl top.disable sys-net
|
|
|
|
sudo qubesctl state.apply sys-net.prefs-disp
|
2023-11-13 14:33:28 +00:00
|
|
|
```
|
|
|
|
|
2024-07-04 17:10:11 +02:00
|
|
|
* State:
|
|
|
|
|
2023-11-13 14:33:28 +00:00
|
|
|
<!-- pkg:begin:post-install -->
|
2024-07-04 17:10:11 +02:00
|
|
|
|
2023-11-13 14:33:28 +00:00
|
|
|
```sh
|
2024-02-23 16:54:35 +01:00
|
|
|
sudo qubesctl state.apply sys-net.create
|
|
|
|
sudo qubesctl --skip-dom0 --targets=tpl-sys-net state.apply sys-net.install
|
|
|
|
sudo qubesctl state.apply sys-net.prefs-disp
|
2023-11-13 14:33:28 +00:00
|
|
|
```
|
2024-07-04 17:10:11 +02:00
|
|
|
|
2023-11-13 14:33:28 +00:00
|
|
|
<!-- pkg:end:post-install -->
|
|
|
|
|
2024-01-04 17:25:16 +01:00
|
|
|
If you need to debug a net qube, install some helper tools:
|
2024-07-04 17:10:11 +02:00
|
|
|
|
2024-01-04 17:25:16 +01:00
|
|
|
```sh
|
2024-02-23 16:54:35 +01:00
|
|
|
sudo qubesctl --skip-dom0 --targets=tpl-sys-net state.apply sys-net.install-debug
|
2024-01-04 17:25:16 +01:00
|
|
|
```
|
|
|
|
|
2024-01-04 21:59:15 +01:00
|
|
|
If you prefer to have an app qube as the net qube:
|
2024-07-04 17:10:11 +02:00
|
|
|
|
2023-11-13 14:33:28 +00:00
|
|
|
```sh
|
2024-02-23 16:54:35 +01:00
|
|
|
sudo qubesctl state.apply sys-net.prefs
|
2023-11-13 14:33:28 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
You might need to install some firmware on the template for your network
|
|
|
|
drivers. Check files/admin/firmware.txt.
|
|
|
|
|
2024-06-14 07:42:18 +02:00
|
|
|
## Access control
|
|
|
|
|
|
|
|
_Default policy_: every call is denied.
|
|
|
|
|
2024-06-17 21:46:21 +02:00
|
|
|
As every call is denied by default, you need to add rules to you Qrexec policy
|
|
|
|
for a call to occur. Some examples are represented below.
|
|
|
|
|
2024-06-14 07:42:18 +02:00
|
|
|
Qube `dev` can ask to connect to `github.com:22` from `disp-sys-net`:
|
2024-07-04 17:10:11 +02:00
|
|
|
|
2024-06-14 07:42:18 +02:00
|
|
|
```qrexecpolicy
|
|
|
|
qusal.ConnectTCP +github.com+22 dev @default ask target=disp-sys-net
|
|
|
|
qusal.ConnectTCP * dev @anyvm deny
|
|
|
|
```
|
|
|
|
|
2023-11-13 14:33:28 +00:00
|
|
|
## Usage
|
|
|
|
|
|
|
|
A network manager is provided in `sys-net`, from there you can manager Wi-Fi
|
|
|
|
or Ethernet cable connections. You can also use it for network monitoring. It
|
|
|
|
should be relied on to hold firewall rules for other qubes, use
|
|
|
|
`sys-firewall`, `sys-pihole` or `sys-mirage-firewall` for that purpose.
|