qubes-issues icon indicating copy to clipboard operation
qubes-issues copied to clipboard

Published 20 hours ago verified publisher icon QubesOS

Add support for Qubes firewall profiles/rulesets

Open apparatius opened this issue 9 months ago • 2 comments

The problem you're addressing (if any)

It's a common situation where you'll have multiple qubes that should have the same firewall rules. For example:

  • allow local connections and block all other connections
  • block local connections and allow all other connections

Right now we have two options:

  1. Set firewall rules for each qube separately.
sys-net
└─sys-firewall
  └─vm1 (rules: no lan)
  └─vm2 (rules: no lan)
  └─vm3 (rules: no lan)
  └─vm6 (rules: only lan)
  └─vm7 (rules: only lan)

This way you can have a single sys-firewall to enforce the rules for all qubes. But if you'll have a need to change the firewall rules later, e.g. add another local subnet to the allowed connections, then you'll have to manually edit all the qube's firewall rules to add this new rule change. This is cumbersome.

  1. Add second sys-firewall qube that'll be used to set the common firewall rules for all the qubes connected to it.
sys-net
└─sys-firewall
  └─sys-firewall-no-lan
    └─vm1
    └─vm2
    └─vm3
  └─sys-firewall-only-lan
    └─vm4
    └─vm5

This way you'll have two sys-firewall qubes so it'll consume more system resources compared with first option. But this way editing firewall rules will be more convenient.

The solution you'd like

I suggest to add a feature to Qubes firewall so it'll be possible to create profiles/rulesets and use them to to set the qube's firewall rules. E.g. create profile allow-lan-ruleset with these rules:

NO  ACTION  HOST            PROTOCOL  PORT(S)  SPECIAL TARGET    ICMP TYPE  EXPIRE  COMMENT
0   accept  192.168.1.0/24  -         -        -                 -          -       -
1   drop    -               -         -        -                 -          -       -

And then select this profile for the qube to use. This way you can edit this profile later and the changes will be propagated to all the qubes automatically.

Maybe also consider to not only select the firewall rules profile but also use these rulesets as parts of qube's firewall rules e.g. to be able to set qube firewall rules to be:

NO  ACTION  HOST        PROTOCOL  PORT(S)  SPECIAL TARGET    ICMP TYPE  EXPIRE  COMMENT
0   accept  1.2.3.4/32  udp       12345    -                 -          -       -
1   import  -           -         -        github-ruleset    -          -       import rules to allow connections to github
2   import  -           -         -        allow-lan-ruleset -          -       import rules to allow connections to LAN
3   drop    -           -         -        -                 -          -       -

The value to a user, and who that user might be

User can easily and more flexibly manage the qubes firewall rules. Related forum topic: https://forum.qubes-os.org/t/chaining-sys-firewalls-vs-duplicating-firewalling-rules-on-many-qubes/26351

Completion criteria checklist

(This section is for developer use only. Please do not modify it.)

apparatius avatar May 09 '24 20:05 apparatius