Is it just my machine or sys-net vm by default, has an INPUT accept iptables rule for port 8082?

[Sphere]

So I was doing some security checks on a whim in my Qubes machine until I stumbled upon discovery that my the INPUT chain of iptables in my net VM has a rule of accepting all tcp connections to port 8082 coming from anywhere

I checked my other VMs and discovered that they didn't have this rule and that despite deleting the rule, whenever I disconnect the laptop from the wifi and reconnecting it would make this rule get added back

So I thought about doing something to make permanent/persistent changes to these iptables rules unless otherwise that there is good reason as to why port 8082 has to be open for the net VM

I would also like to ask where should I do changes to make iptables rules persistent, in the net VM or the template VM?

[haaber]

> So I was doing some security checks on a whim in my Qubes machine until I stumbled upon discovery that my the INPUT chain of iptables in my net VM has a rule of accepting all tcp connections to port 8082 coming from anywhere

I checked and confirm the same line in my sys-net:

-A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT

I cannot offer insightful help at the moment. To permanently change the
iptables, you might find clues in the qubes-firewall documentation.
Otherwise, searching a bit I got here
https://github.com/QubesOS/qubes-issues/issues/3201 the impression that
this port is used for non-torified Qubes updates proxy. Do update
mechanisms still work (the torified && non-torified one) if you remove
the line manually?

[Sphere]

@haaber thank you for your response and information provided to my inquiry
Unfortunately I have already performed a full update of VMs before I discovered this but I will check up on this through an update/install whenever I'm free from my work in order to provide an update about this

[unman]

It is indeed part of updates-proxy, which I assume you have enabled in
sys-net.
Sphere reports the rule allowing "coming from anywhere" - if this is o
then they must override the default - as haaber reports the default rule
allows traffic originating from the vif+ interfaces.
I guess this is a hangover from 3.2, as templates now use qubes-rpc,
but it does allow you to use proxy settings in your qubes and perform
package updates/installs.

[Sphere]

So I tried removing the rule today and attempted to do a templateVM Update
Oddly enough it updates just fine and my setting on qubes-rpc for TemplateVM updates is set as my sys-net vm

Not unless this is because I have already done an update without removing the iptables rule first which caused a complete sync of repository metadata
Thus, when I removed the rule and did an update again, there were no problems because metadata has already been sync'd. Or do you think this hypothesis is wrong?

About that, sorry I forgot to specify which interface it was. By "anywhere" I had intended to mean any source ip address would be permitted to connect to port 8082 but as for the interface, it's definitely vif+

Welp, I suppose I'll do more testing in the following days before concluding that it's safe to just permanently remove it from the iptables rules since it doesn't break my updating of TemplateVMs

I'll just leave this iptables command here for reference:
sudo iptables --insert INPUT 1 -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT