On 2019-11-12 12:38, 'Jonas' via qubes-devel wrote:
> I would like to enable opensnitch firewall on every VM by default.
> what do you think about this???
To be frank, it may look pretty, but it would be a big waste of CPU and
memory resources while providing absolutely no additional security.
- A firewall that runs inside the AppVM is easily circumvented by any
application or process running in that VM, thus no real security.
- You already have a real and secure Firewall by default sitting in the
sys-firewall VM, so why add an additional drain on your memory and CPU
resources. Why not learn to use what you already have available?
- You already have the means to see what you AppVM's are connecting to
if that is what you are after. You can simply run an app like etherape
(wireshark, or tcpdump) in the sys-firewall VM and see everything being
connected to all in one app. But that does degrade security model
somewhat, because running any user level apps there is opening the
attack surface a bit.
My suggestion is to learn the system you have first before adding all
kinds of extra security compromising software/baggage that you don't
really need.