From my understanding, the FirewallVM is where the firewall rules are put into place from the Qubes VM Manager. The sys-firewall VM acts as the FirewallVM by default but what decides which VM gets that role? Is it automatically the first ProxyVM connected through the NetVM? Does naming a ProxyVM "sys-firewall" make it the FirewallVM? I can't find anything on how the FirewallVM is decided in the documentation at https://www.qubes-os.org/doc/firewall/. It would be handy to know if creating all VMs from scratch instead of using the defaults when Qubes OS is installed.
Thanks
I see now, thanks. Each ProxyVM acts as the FirewallVM for whichever VMs use it as a NetVM.