qusal/salt/sys-firewall/README.md

# sys-firewall

Firewall in Qubes OS.

## Table of Contents

* [Description](#description)
* [Installation](#installation)
* [Usage](#usage)

## Description

Creates firewall qube, an App qube "sys-firewall" and a Disposable qube
"disp-sys-firewall". By default, "disp-sys-firewall" will be the "updatevm",
the "clockvm" and the "default_netvm".

If you want an easy to configure firewall with ad blocking, checkout
sys-pihole instead.

## Installation

Before installation, rename your current `sys-firewall` to another name such
as `sys-firewall-old`, the old qube will be used to install packages required
for the minimal template. After successful installation and testing the new
net qube capabilities, you can remove the old one. If you want the default net
qube back, just set `sys-firewall` template to the full template you are
using, such as Debian or Fedora. Before starting, turn on `sys-firewall-old`
or yours `default_netvm` and check if DNS is working, after that, proceed with
the installation.

- Top:
```sh
qubesctl top.enable sys-firewall
qubesctl --targets=tpl-sys-firewall state.apply
qubesctl top.disable sys-firewall
qubesctl state.apply sys-firewall.prefs-disp
```

- State:
<!-- pkg:begin:post-install -->
```sh
qubesctl state.apply sys-firewall.create
qubesctl --skip-dom0 --targets=tpl-sys-firewall state.apply sys-firewall.install
qubesctl state.apply sys-firewall.prefs-disp
```
<!-- pkg:end:post-install -->

Alternatively, if you prefer to have an app qube as the firewall:
```sh
qubesctl state.apply sys-firewall.prefs
```

## Usage

You should use this qube for handling updates and firewall downstream/client
qubes, in other words, enforce network policy to qubes that have
`sys-firewall` as its `netvm`. Read [upstream firewall
documentation](https://www.qubes-os.org/doc/firewall/).
refactor: initial commit 2023-11-13 09:33:28 -05:00			`# sys-firewall`

			`Firewall in Qubes OS.`

			`## Table of Contents`

			`* [Description](#description)`
			`* [Installation](#installation)`
			`* [Usage](#usage)`

			`## Description`

			`Creates firewall qube, an App qube "sys-firewall" and a Disposable qube`
feat: default to disposable netvm - Default sys-net and sys-firewall to disposable; - Set global and per vm preferences by starting the qubes or shutting down them when necessary; and - Less manual steps remaining for the user: just rename the net qube, as it can only be done via Qubes Manager. 2024-01-04 15:59:15 -05:00			`"disp-sys-firewall". By default, "disp-sys-firewall" will be the "updatevm",`
			`the "clockvm" and the "default_netvm".`
refactor: initial commit 2023-11-13 09:33:28 -05:00
			`If you want an easy to configure firewall with ad blocking, checkout`
			`sys-pihole instead.`

			`## Installation`

feat: default to disposable netvm - Default sys-net and sys-firewall to disposable; - Set global and per vm preferences by starting the qubes or shutting down them when necessary; and - Less manual steps remaining for the user: just rename the net qube, as it can only be done via Qubes Manager. 2024-01-04 15:59:15 -05:00			Before installation, rename your current `sys-firewall` to another name such
			as `sys-firewall-old`, the old qube will be used to install packages required
			`for the minimal template. After successful installation and testing the new`
			`net qube capabilities, you can remove the old one. If you want the default net`
			qube back, just set `sys-firewall` template to the full template you are
			using, such as Debian or Fedora. Before starting, turn on `sys-firewall-old`
			or yours `default_netvm` and check if DNS is working, after that, proceed with
			`the installation.`

refactor: initial commit 2023-11-13 09:33:28 -05:00			`- Top:`
			```sh
			`qubesctl top.enable sys-firewall`
			`qubesctl --targets=tpl-sys-firewall state.apply`
			`qubesctl top.disable sys-firewall`
feat: default to disposable netvm - Default sys-net and sys-firewall to disposable; - Set global and per vm preferences by starting the qubes or shutting down them when necessary; and - Less manual steps remaining for the user: just rename the net qube, as it can only be done via Qubes Manager. 2024-01-04 15:59:15 -05:00			`qubesctl state.apply sys-firewall.prefs-disp`
refactor: initial commit 2023-11-13 09:33:28 -05:00			```

			`- State:`
			`<!-- pkg:begin:post-install -->`
			```sh
			`qubesctl state.apply sys-firewall.create`
			`qubesctl --skip-dom0 --targets=tpl-sys-firewall state.apply sys-firewall.install`
feat: default to disposable netvm - Default sys-net and sys-firewall to disposable; - Set global and per vm preferences by starting the qubes or shutting down them when necessary; and - Less manual steps remaining for the user: just rename the net qube, as it can only be done via Qubes Manager. 2024-01-04 15:59:15 -05:00			`qubesctl state.apply sys-firewall.prefs-disp`
refactor: initial commit 2023-11-13 09:33:28 -05:00			```
			`<!-- pkg:end:post-install -->`

feat: default to disposable netvm - Default sys-net and sys-firewall to disposable; - Set global and per vm preferences by starting the qubes or shutting down them when necessary; and - Less manual steps remaining for the user: just rename the net qube, as it can only be done via Qubes Manager. 2024-01-04 15:59:15 -05:00			`Alternatively, if you prefer to have an app qube as the firewall:`
refactor: initial commit 2023-11-13 09:33:28 -05:00			```sh
feat: default to disposable netvm - Default sys-net and sys-firewall to disposable; - Set global and per vm preferences by starting the qubes or shutting down them when necessary; and - Less manual steps remaining for the user: just rename the net qube, as it can only be done via Qubes Manager. 2024-01-04 15:59:15 -05:00			`qubesctl state.apply sys-firewall.prefs`
refactor: initial commit 2023-11-13 09:33:28 -05:00			```

			`## Usage`

			`You should use this qube for handling updates and firewall downstream/client`
			`qubes, in other words, enforce network policy to qubes that have`
			`sys-firewall` as its `netvm`. Read [upstream firewall
			`documentation](https://www.qubes-os.org/doc/firewall/).`