Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2024-09-20 09:15:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
a564b3a703
qusal/salt/sys-firewall
History
Ben Grande a564b3a703
feat: add TCP proxy for remote hosts 
Ideally, it would be a Qrexec socket service, but it doesn't handle DNS,
only accepting IPs. The dev qube is now non-networked and network,
especially to remote git repositories can be acquired via the proxy that
is going to be installed in every netvm.
2024-06-13 18:01:08 +02:00
..
clone.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
clone.top refactor: initial commit 2023-11-13 14:33:28 +00:00
create.sls fix: remove extraneous package repository updates 2024-03-18 17:51:36 +01:00
create.top refactor: initial commit 2023-11-13 14:33:28 +00:00
init.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install.sls feat: add TCP proxy for remote hosts 2024-06-13 18:01:08 +02:00
install.top refactor: initial commit 2023-11-13 14:33:28 +00:00
prefs-disp.sls chore: copyright update 2024-01-29 16:49:54 +01:00
prefs-disp.top refactor: initial commit 2023-11-13 14:33:28 +00:00
prefs.sls chore: copyright update 2024-01-29 16:49:54 +01:00
prefs.top refactor: initial commit 2023-11-13 14:33:28 +00:00
README.md doc: prefix qubesctl with sudo 2024-02-23 16:55:11 +01:00

README.md

sys-firewall

Firewall in Qubes OS.

Table of Contents

Description

Creates firewall qube, an App qube "sys-firewall" and a Disposable qube "disp-sys-firewall". By default, "disp-sys-firewall" will be the "updatevm", the "clockvm" and the "default_netvm".

If you want an easy to configure firewall with ad blocking, checkout sys-pihole instead.

Installation

Before installation, rename your current sys-firewall to another name such as sys-firewall-old, the old qube will be used to install packages required for the minimal template. After successful installation and testing the new net qube capabilities, you can remove the old one. If you want the default net qube back, just set sys-firewall template to the full template you are using, such as Debian or Fedora. Before starting, turn on sys-firewall-old or yours default_netvm and check if DNS is working, after that, proceed with the installation.

  • Top:
sudo qubesctl top.enable sys-firewall
sudo qubesctl --targets=tpl-sys-firewall state.apply
sudo qubesctl top.disable sys-firewall
sudo qubesctl state.apply sys-firewall.prefs-disp
  • State:
sudo qubesctl state.apply sys-firewall.create
sudo qubesctl --skip-dom0 --targets=tpl-sys-firewall state.apply sys-firewall.install
sudo qubesctl state.apply sys-firewall.prefs-disp

Alternatively, if you prefer to have an app qube as the firewall:

sudo qubesctl state.apply sys-firewall.prefs

Usage

You should use this qube for handling updates and firewall downstream/client qubes, in other words, enforce network policy to qubes that have sys-firewall as its netvm. Read upstream firewall documentation.