I've decided to gives Qubes a try. Apologies if I sound confused; there are many options and settings in Qubes and as a first-time user, I want to make sure I set Qubes up correctly. I have the following concern about the default netvm.
If the netvm is untrusted by default, I am making the assumption that the vm is, "out-of-the-box" easier to compromise than the other vms. So I was wondering what is the best practice for long term maintenance of the default netvm, immediately after a fresh install of Qubes?
1. Attempt to harden netvm before connecting to the internet (disable remote access, setup iptable rules, etc), then make a backup?
2. Do not harden; only backup netvm before connecting to internet. If I suspect that netvm is compromised in the future, simply stop netvm & restore from backup.
3. Some other best practice I did not think of.
(If choice #1 or 2 is best, I have a followup question)
Q1. Based on a post on 'theinvisiblethings' blog, netVMs are not the same as AppVMs. Since the backup/restore instructions on the qubes site (qvm-backup/qvm-backup-restore) is for AppVMs, how can I backup netvms for the purpose of restoring if/when they are compromised?
(If choice #1 is best)
1. Is there a guide on how we can harden the netvm? How can I view what default services, files, ports/remote access are enabled on the default netvm and how make my hardening customizations to the netvm permanent? I mainly want to make sure the netvm has no remote filesystem access from the internet (i.e. ssh, ftp, etc); the only 'access' should be from dom0.
Apologies if some of the questions are based on incomplete/incorrect information; I've tried reading all the Qubes documentation that could be related to my question such as:
https://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html
https://www.qubes-os.org/doc/firewall/
https://www.qubes-os.org/doc/backup-restore/
https://www.qubes-os.org/getting-started/
Thanks,
New Qubes OS user
Ok; thanks for all of the information! It was very helpful!