Qubes Outgoing Firewalll...
82 views
Skip to first unread message
Jonas
Nov 12, 2019, 12:38:39 PM11/12/19
to qubes...@googlegroups.com
Can Qubes install puppet on every device by default. Who give every VM the config (that the user want to be insert in every VM)
I would like to enable opensnitch firewall on every VM by default. ( The Controle Interface can be enabled on the Qube-Dom0)
what do you think about this???
On my setup this works very well. This should be default!!
Sent with ProtonMail Secure Email.
bo0od
Nov 12, 2019, 4:42:25 PM11/12/19
to qubes...@googlegroups.com
same application github page saying:
"THIS SOFTWARE IS WORK IN PROGRESS, DO NOT EXPECT IT TO BE BUG FREE AND
DO NOT RELY ON IT FOR ANY TYPE OF SECURITY."
If you want to enable it by default , enjoy doing it yourself.
'Jonas' via qubes-devel:
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>
"THIS SOFTWARE IS WORK IN PROGRESS, DO NOT EXPECT IT TO BE BUG FREE AND
DO NOT RELY ON IT FOR ANY TYPE OF SECURITY."
If you want to enable it by default , enjoy doing it yourself.
'Jonas' via qubes-devel:
>
Steve Coleman
Nov 12, 2019, 5:16:11 PM11/12/19
to qubes...@googlegroups.com
On 2019-11-12 12:38, 'Jonas' via qubes-devel wrote:
> I would like to enable opensnitch firewall on every VM by default.
> I would like to enable opensnitch firewall on every VM by default.
> what do you think about this???
To be frank, it may look pretty, but it would be a big waste of CPU and
memory resources while providing absolutely no additional security.
- A firewall that runs inside the AppVM is easily circumvented by any
application or process running in that VM, thus no real security.
- You already have a real and secure Firewall by default sitting in the
sys-firewall VM, so why add an additional drain on your memory and CPU
resources. Why not learn to use what you already have available?
- You already have the means to see what you AppVM's are connecting to
if that is what you are after. You can simply run an app like etherape
(wireshark, or tcpdump) in the sys-firewall VM and see everything being
connected to all in one app. But that does degrade security model
somewhat, because running any user level apps there is opening the
attack surface a bit.
My suggestion is to learn the system you have first before adding all
kinds of extra security compromising software/baggage that you don't
really need.
Outback Dingo
Nov 30, 2019, 6:28:54 AM11/30/19
to qubes-devel
On Wednesday, November 13, 2019 at 5:16:11 AM UTC+7, Steve Coleman wrote:
On 2019-11-12 12:38, 'Jonas' via qubes-devel wrote:
> I would like to enable opensnitch firewall on every VM by default.
> what do you think about this???
The daemon is implemented in Go and needs to run as root in order to interact with the Netfilter packet ... WTF ... runs away screaming ......
Reply all
Reply to author
Forward
0 new messages