Safely set up a Qube to connect to only one IP address on the Internet

94 views
Skip to first unread message

Michael Singer

unread,
Jul 12, 2021, 7:02:55 AM7/12/21
to qubes...@googlegroups.com
Dear Qubes community,

i am interested in your ideas on how you would set up a Qube as secure as possible to connect to a single ordinary internet site (not a VPN network) accessed directly via its IP address.

My ideas are:

1) Edit the Qube's firewall via dom0 as follows:

$dom0: qvm-firewall NAME-OF-QUBE del --rule-no 0
$dom0: qvm-firewall NAME-OF-QUBE add --before 0 drop
$dom0: qvm-firewall NAME-OF-QUBE add --before 0 accept 127.127.127.127/32 proto=tcp 443

2) Go into the dom0-Qube settings and turn on the disable-dns-server service.

With these two settings, there should really be no DNS traffic anymore, right?

What else would you do?

Best wishes
Michael Singer

awokd

unread,
Jul 13, 2021, 12:57:56 PM7/13/21
to qubes...@googlegroups.com
Michael Singer:
> Dear Qubes community,
>
> i am interested in your ideas on how you would set up a Qube as secure as possible to connect to a single ordinary internet site (not a VPN network) accessed directly via its IP address.

> What else would you do?

Possibly double-check and further restrict iptables & nftables on the
qube itself, but could be an annoyance to maintain.

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

unman

unread,
Jul 14, 2021, 7:40:27 AM7/14/21
to qubes...@googlegroups.com
These are good.
Disable all unnecessary services in the qube - that means almost all of
them.
Change the nft/iptables configuration on the qube itself - note that you
can do this in `/rw/config/rc.local` but that is processed after the
network comes up.
You want to allow only outbound lo and to your target.
Remove/overwrite /etc/resolv.conf

You can also create an alias in /etc/hosts to avoid typing out the full
IP address.

Michael Singer

unread,
Jul 14, 2021, 12:35:54 PM7/14/21
to qubes...@googlegroups.com
> On Wed, Jul 14, 2021 at 04:40:29, unman wrote:

> Disable all unnecessary services in the qube - that means almost all of
> them.

Where would you look for such services?

Would you let my Qube, which is supposed to connect to only one IP address on the internet, be based on an extra firewall-vm? Would that more secure?

In the Qube settings for the services there is the service "disable-default-route". I have not found anything about what it does. In my case, would it be better to leave it on or turn it off?

Thank you for your reply and all the best
Michael Singer

unman

unread,
Jul 15, 2021, 7:50:26 AM7/15/21
to qubes...@googlegroups.com
On Wed, Jul 14, 2021 at 04:35:42PM +0000, Michael Singer wrote:
> > On Wed, Jul 14, 2021 at 04:40:29, unman wrote:
>
> > Disable all unnecessary services in the qube - that means almost all of
> > them.
>
> Where would you look for such services?

Look to see what's running in the template/qube.

>
> Would you let my Qube, which is supposed to connect to only one IP address on the internet, be based on an extra firewall-vm? Would that more secure?
You could do this: it would have one particular advantage, in that you
could set custom rules in sys-net to restrict access from that
sys-firewall to the specified IP address.

>
> In the Qube settings for the services there is the service "disable-default-route". I have not found anything about what it does. In my case, would it be better to leave it on or turn it off?
>
man qvm-service - this service will remove the default gateway entry. So
a qube would be able to access immediate neighbours but not step beyond.
It's not what you want here.

Michael Singer

unread,
Jul 15, 2021, 2:08:04 PM7/15/21
to qubes...@googlegroups.com
On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote:

> On Wed, Jul 14, 2021 at 04:35:42PM +0000, Michael Singer wrote:

>>
>> Would you let my Qube, which is supposed to connect to only one IP address on
>> the internet, be based on an extra firewall-vm? Would that more secure?

> You could do this: it would have one particular advantage, in that you
> could set custom rules in sys-net to restrict access from that
> sys-firewall to the specified IP address.

Do you have an example of the command line commands you use to set such custom rules in an ordinary debian or fedora sys-net?

>> In the Qube settings for the services there is the service
>> "disable-default-route". I have not found anything about what it does. In my
>> case, would it be better to leave it on or turn it off?

> man qvm-service - this service will remove the default gateway entry. So
> a qube would be able to access immediate neighbours but not step beyond.
> It's not what you want here.

What are the immediate neighbors of a qube?

Can both a qube using the default route and a qube with the disable-default-route service turned on access its immediate neighbors, or only a qube with the disable-default-route service turned on?

In what situation is it useful for a qube to be able to access its immediate neighbors?

All the best
Michael

unman

unread,
Jul 17, 2021, 6:29:52 AM7/17/21
to Michael Singer, qubes...@googlegroups.com
On Thu, Jul 15, 2021 at 06:07:59PM +0000, Michael Singer wrote:
> On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote:
>
> > On Wed, Jul 14, 2021 at 04:35:42PM +0000, Michael Singer wrote:
>
> >>
> >> Would you let my Qube, which is supposed to connect to only one IP address on
> >> the internet, be based on an extra firewall-vm? Would that more secure?
>
> > You could do this: it would have one particular advantage, in that you
> > could set custom rules in sys-net to restrict access from that
> > sys-firewall to the specified IP address.
>
> Do you have an example of the command line commands you use to set such custom rules in an ordinary debian or fedora sys-net?

Qubes uses NAT, so sys-net sees all traffic coming from the IP address
of sys-firewall.
If you new fw has IP - 10.137.0.200
And target is 195.10.223.181

`nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr 195.10.223.181 tcp dport https accept`
`nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop`

Would do it.
Adjust for your case, of course

>
> >> In the Qube settings for the services there is the service
> >> "disable-default-route". I have not found anything about what it does. In my
> >> case, would it be better to leave it on or turn it off?
>
> > man qvm-service - this service will remove the default gateway entry. So
> > a qube would be able to access immediate neighbours but not step beyond.
> > It's not what you want here.
>
> What are the immediate neighbors of a qube?

Qubes that are connected - the netvm, or a qube for which *this* is the
netvm.

>
> Can both a qube using the default route and a qube with the disable-default-route service turned on access its immediate neighbors, or only a qube with the disable-default-route service turned on?

You can always access immediate neighbours, but will have to adjust the
default firewall rules.
Look at
https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes

>
> In what situation is it useful for a qube to be able to access its immediate neighbors?

Explained on that page: most useful is file exchange with no Qubes
tools installed, but also for testing network code, new pgp or ssh
keys, etc.

>
> All the best
> Michael
>

Michael Singer

unread,
Jul 26, 2021, 4:10:10 AM7/26/21
to unman, qubes...@googlegroups.com
On Thu, Jul 17, 2021 at 12:29PM +0700, unman wrote> On Thu, Jul 15, 2021 at 06:07:59PM +0000, Michael Singer wrote:
>> On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote:
>>
>>> On Wed, Jul 14, 2021 at 04:35:42PM +0000, Michael Singer wrote:
>>
>>>>
>>>> Would you let my Qube, which is supposed to connect to only one IP address on
>>>> the internet, be based on an extra firewall-vm? Would that more secure?
>>
>>> You could do this: it would have one particular advantage, in that you
>>> could set custom rules in sys-net to restrict access from that
>>> sys-firewall to the specified IP address.
>>
>> Do you have an example of the command line commands you use to set such custom rules in an ordinary debian or fedora sys-net?
>
> Qubes uses NAT, so sys-net sees all traffic coming from the IP address
> of sys-firewall.
> If you new fw has IP - 10.137.0.200
> And target is 195.10.223.181
>
> `nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr 195.10.223.181 tcp dport https accept`
> `nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop`
>
> Would do it.
> Adjust for your case, of course

Many thanks, unman! This is well explained. Allow one more question: How would you do the same if sys-net is based on a OpenBSD template?

Best regards
Michael Singer

unman

unread,
Jul 30, 2021, 9:40:06 AM7/30/21
to qubes...@googlegroups.com
openBSD in Qubes - Excellent!
You would want something like:
pass out on dc0 proto tcp from 10.137.0.200 to 195.10.223.181 port 443

J Holsapple

unread,
May 9, 2022, 9:45:42 PM5/9/22
to qubes-users
Don't know if this helps, but since October 2021 I've been using pfSense without any problems. I created an installation guide and script to automate the integration.
Reply all
Reply to author
Forward
0 new messages