Hardening sys-net

Original forum link

https://forum.qubes-os.org/t/24345

Original poster

GentooEnjoyer

Editors

GentooEnjoyer

Created at

2024-02-10 18:56:35

Last wiki edit

2024-12-09 22:39:50

Revisions

6 revisions

Posts count

15

Likes count

4

Tags

configuration, networking

COMPLETE OVERHAUL SINCE 9/12/2024!

this guide works no matter whether or not you chose disposable sys-net or not. no nonsense guide, if you chose Debian as a base, simply substitute for the proper commands on Debian. lets start.

SECTION 1

1. open a terminal in sys-net and obtain current nftables rules

   sudo - i
   nft list ruleset > rules.json
   

send rules.json to a different qube, it has no business being in sys-net yet. we will be using these rules later.

1. open a dom0 terminal and install a fedora minimal template. do not close the terminal yet.

       sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-templates-fedora-40-minimal
   

2. clone the template and name it 'net-dvm'

3. in your dom0 terminal, open a root XTerm in your newly created net-dvm

       qvm-run -u root net-dvm xterm
   

4. install packages

       dnf install qubes-core-agent-networking qubes-core-agent-network-manager NetworkManager-wifi network-manager-applet wireless-tools notification-daemon gnome-keyring polkit nftables @hardware-support
   

5. from the docs on minimal templates, 'If your network devices need extra packages for the template to work as a network VM, use the lspci command to identify the devices, then run dnf search firmware (replace firmware with the appropriate device identifier) to find the needed packages and then install them.'

6. now we are going to be using our nftables rules. previously, this guide used ufw, but that has since been replaced due to its usage of iptables.

       i will write this later, please let me take a break, im using an old crappy laptop as my Qubes machine and its sitting infront of my keyboard, its so hard to type this guide, i will update this later today, so please be patient if you are reading this on the same day as the edit
   

7. update packages

       dnf update && dnf upgrade
   

8. exit the XTerm and shutdown net-dvm, make a clone of default-dvm named network-dvm and change the template of network-dvm to net-dvm.

9. shutdown sys-net and change the template from default-dvm to network-dvm.

SECTION 2

this section is SUPPOSED to be for sys-firewall. maybe coming soon, depends on how long i procrastinate disecting sys-firewall. (what i wrote here before was a disaster). do not change sys-firewall yet.