Improving Qubes firewall (GUI or pfSense)
74 views
Skip to first unread message
799
Feb 20, 2020, 2:59:52 AM2/20/20
to qubes-users
Hello,
While I'm running Qubes for a few years now, I also have to work with Windows 10 according to company standards.
So far I had problems setting up Windows 10 on Qubes (which I tried ~1,5y ago) and then decided to work in a dual boot setup, which is ok for me, as I am running Coreboot and my /boot is fingerprinted and I can compare all files after booting into Qubes.
On windows I have a setup where my NICsnare "Auto-Bridged" to a virtual pfSense Firewall VM (running in VMware Workstation) and the Laptop her's no IP-adresses from this NICs but from a virtual ("Host-only") adapter which has a connection to the virtual LAN interface of the pfSense Router.
This allows to filter very detailed what should leave the laptop and I can work with Aliases etc.
The pfSense is also configured as OpenVPN Client and connects to a VPN Provider.
Using the detailed firewall rules in pfSense (tagging/Policy Based Routing) I am able to decide which traffic should go into the VPN and what should pass the Firewall via the WAN Interface.
Using the Firewall Logs in the GUI I have been able to make sure that no packages leave my laptops into the wrong direction.
If the VPN connection breaks no traffic which is tagged to go through the VPN will pass the WAN gateway.
Long story cut short, I really (!) would love to have that much control and also easy configuration on Qubes.
Currently I my setup involves using mirage-firewall and different VPN-VMs and sys-firewall for Qubes dom0 and template updates, but it is a bit painful to administrate everything via CLI and I also like the GUI for looking/searching through firewall logs.
Is there any way to use pfSense as HVM firewall which will then work as central routing/firewall instance?
Or does someone has good recommendations adding management and/or Log Analyzer GUIs for sys-firewall?
[one7two99]
awokd
Mar 6, 2020, 2:56:46 PM3/6/20
to 799, qubes-users
799:
> Is there any way to use pfSense as HVM firewall which will then work as
> central routing/firewall instance?
If it helps, this question might be simplified to can you use OpenBSD in
Qubes with 2 NICs. Looks like it should be possible, per
https://www.mail-archive.com/qubes...@googlegroups.com/msg28726.html
and https://github.com/unman/notes/blob/master/openBSD_as_netvm
(although it would be a sys-firewall instead of netvm). From that point,
I think you can add pfSense on top?
--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots
> Is there any way to use pfSense as HVM firewall which will then work as
> central routing/firewall instance?
Qubes with 2 NICs. Looks like it should be possible, per
https://www.mail-archive.com/qubes...@googlegroups.com/msg28726.html
and https://github.com/unman/notes/blob/master/openBSD_as_netvm
(although it would be a sys-firewall instead of netvm). From that point,
I think you can add pfSense on top?
--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots
Reply all
Reply to author
Forward
0 new messages