qusal/salt/sys-net
Ben Grande eb3a8ab324
feat: install Qusal TCP Proxy on updatevm's origin
Document qusal.ConnectTCP in dev's Access Control as it defaults to deny
and causes confusion to users why it doesn't work by default.  This is
an exception of the rule that a formula cannot document the RPC service
of another formula to avoid duplication.
2024-06-26 12:24:56 +02:00
..
files feat: install Qusal TCP Proxy on updatevm's origin 2024-06-26 12:24:56 +02:00
clone.sls chore: copyright update 2024-01-29 16:49:54 +01:00
clone.top refactor: initial commit 2023-11-13 14:33:28 +00:00
create.sls feat: install Qusal TCP Proxy on updatevm's origin 2024-06-26 12:24:56 +02:00
create.top refactor: initial commit 2023-11-13 14:33:28 +00:00
init.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install-debug.sls fix: install libpci by default on sys-net 2024-05-02 19:33:32 +02:00
install-debug.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install-proxy.sls feat: add TCP proxy for remote hosts 2024-06-13 18:01:08 +02:00
install-proxy.top feat: add TCP proxy for remote hosts 2024-06-13 18:01:08 +02:00
install.sls feat: add TCP proxy for remote hosts 2024-06-13 18:01:08 +02:00
install.top refactor: initial commit 2023-11-13 14:33:28 +00:00
prefs-disp.sls chore: copyright update 2024-01-29 16:49:54 +01:00
prefs-disp.top refactor: initial commit 2023-11-13 14:33:28 +00:00
prefs.sls chore: copyright update 2024-01-29 16:49:54 +01:00
prefs.top refactor: initial commit 2023-11-13 14:33:28 +00:00
README.md doc: qusal proxy service requires configuration 2024-06-17 21:46:21 +02:00
show-updatevm-origin.sls feat: install Qusal TCP Proxy on updatevm's origin 2024-06-26 12:24:56 +02:00
show-updatevm-origin.top feat: install Qusal TCP Proxy on updatevm's origin 2024-06-26 12:24:56 +02:00
version fix: generate RPM Specs for Qubes Builder V2 2024-06-21 17:00:06 +02:00

sys-net

PCI handler of network devices in Qubes OS.

Table of Contents

Description

Creates and configure qubes for handling the network devices. Qubes OS provides the state "qvm.sys-net", but it will create only "sys-net", which can be a disposable or not. This package takes a different approach, it will create an AppVM "sys-net" and a DispVM "disp-sys-net".

By default, the chosen one is "disp-sys-net", but you can choose which qube type becomes the upstream net qube "default_netvm" and the fallback target for the "qubes.UpdatesProxy" service in case no rule matched before.

Installation

Before installation, rename your current sys-net to another name such as sys-net-old, the old qube will be used to install packages required for the minimal template. After successful installation and testing the new net qube capabilities, you can remove the old one. If you want the default net qube back, just set sys-net template to the full template you are using, such as Debian or Fedora. Before starting, turn on the default_netvm and check if DNS is working, after that, proceed with the installation.

  • Top:
sudo qubesctl top.enable sys-net
sudo qubesctl --targets=tpl-sys-net state.apply
sudo qubesctl top.disable sys-net
sudo qubesctl state.apply sys-net.prefs-disp
  • State:
sudo qubesctl state.apply sys-net.create
sudo qubesctl --skip-dom0 --targets=tpl-sys-net state.apply sys-net.install
sudo qubesctl state.apply sys-net.prefs-disp

If you need to debug a net qube, install some helper tools:

sudo qubesctl --skip-dom0 --targets=tpl-sys-net state.apply sys-net.install-debug

If you prefer to have an app qube as the net qube:

sudo qubesctl state.apply sys-net.prefs

You might need to install some firmware on the template for your network drivers. Check files/admin/firmware.txt.

Access control

Default policy: every call is denied.

As every call is denied by default, you need to add rules to you Qrexec policy for a call to occur. Some examples are represented below.

Qube dev can ask to connect to github.com:22 from disp-sys-net:

qusal.ConnectTCP +github.com+22 dev @default ask target=disp-sys-net
qusal.ConnectTCP *              dev @anyvm   deny

Usage

A network manager is provided in sys-net, from there you can manager Wi-Fi or Ethernet cable connections. You can also use it for network monitoring. It should be relied on to hold firewall rules for other qubes, use sys-firewall, sys-pihole or sys-mirage-firewall for that purpose.