Firewall rules

[kater...@sigaint.org]

Good day
I'm using a VPN in sys-net and would setup firewall rules to stop internet
connection if VPN crash. In sys-net isn't possible to insert ip addresses,
then I did it in sys-firewall. With some tests I saw that if VPN
disconnect suddenly, sys-net finds my wifi network and doesn't break the
connection, as I would. How can I solve this? (in the proxyVMs all work
well)

Thank you

[Chris Laprise]

Take a look at https://www.qubes-os.org/doc/vpn/

For leak protection and security it is best to set up a vpn client in a
proxy vm, between sys-net and the appvms. You can follow the
instructions from the doc "Using iptables and openvpn", or use the
firewall script as an example. The two critical commands that prevent
leaks (in the proxy vm configuration) are:

iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP

This means that no forwarding can take place involving the
upstream/clearnet interface eth0, so the only way out is through the vpn
tunnel.

Chris

[kater...@sigaint.org]

Hi Chris
Thank you for the explanation, I want to know if I can use firewall tab in
sys-net (or sys-firewall) like I have done in proxyVM because I have also
a VPN in sys-net. If it isn't possible, do I change ip tables in sys-net
while in all the other proxyVMs I use firewall tab?

Regards

[Chris Laprise]

The firewall tab (in any vm) is not a good place to add this restriction
even if it did accept that kind of rule (which it does not). The best
way is to run the vpn client in a separate proxy vm, and set the
firewall rules with the qubes-firewall-user-script in that vm as shown
in the doc.

You can try to use qubes-firewall-user-script in the netvm, but I think
this approach is untested. Of course, by Qubes standards it is insecure.

Chris

[kater...@sigaint.org]

Hi
I see also other commands but haven't understood what mean (qvpn group?)

Thank you