this guide works no matter whether or not you chose disposable sys-net or not. no nonsense guide, lets get in
| **COMPLETE OVERHAUL SINCE 9/12/2024!**
this guide works no matter whether or not you chose disposable sys-net or not. no nonsense guide, if you chose Debian as a base, simply substitute for the proper commands on Debian. lets start.
|
1. open a dom0 terminal and install a fedora-39-minimal template (dont close the terminal yet we need it for later)
sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-templates-fedora-39-minimal
2. clone the template and name it 'net-dvm' (optionally clone it twice, and name the second one fw-dvm. youll use it later IF you do decide to do a bit more advanced hardening)
3. in your dom0 terminal, open a root XTerm in your newly created net-dvm
qvm-run -u root net-dvm xterm
4. install packages
dnf install qubes-core-agent-networking qubes-core-agent-network-manager NetworkManager-wifi network-manager-applet wireless-tools notification-daemon gnome-keyring polkit ufw clamav @hardware-support
5. from the docs on minimal templates, 'If your network devices need extra packages for the template to work as a network VM, use the `lspci` command to identify the devices, then run `dnf search firmware` (replace `firmware` with the appropriate device identifier) to find the needed packages and then install them.'
6. enable ufw (or if you want to use nftables instead, `dnf remove ufw` and install nftables and set our rules.
systemctl enable ufw
ufw enable
7. remove default rules in ufw and allow incoming from sys-firewall (ip will be different in your case, just find ip address of sys-firewall)
ufw delete 1 (x4)
ufw allow in from 10.x.x.x
8. (optional) run comprehensive system security audits with lynis
dnf install lynis
lynis audit system
9. update packages
| 1. open a terminal in sys-net and obtain current nftables rules
sudo - i
nft list ruleset > rules.json
send rules.json to a different qube, it has no business being in sys-net yet. we will be using these rules later.
2. open a dom0 terminal and install a fedora minimal template. do not close the terminal yet.
sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-templates-fedora-40-minimal
3. clone the template and name it 'net-dvm'
4. in your dom0 terminal, open a root XTerm in your newly created net-dvm
qvm-run -u root net-dvm xterm
5. install packages
dnf install qubes-core-agent-networking qubes-core-agent-network-manager NetworkManager-wifi network-manager-applet wireless-tools notification-daemon gnome-keyring polkit nftables @hardware-support
6. from the docs on minimal templates, 'If your network devices need extra packages for the template to work as a network VM, use the `lspci` command to identify the devices, then run `dnf search firmware` (replace `firmware` with the appropriate device identifier) to find the needed packages and then install them.'
7. now we are going to be using our nftables rules. previously, this guide used ufw, but that has since been replaced due to its usage of iptables.
i will write this later, please let me take a break, im using an old crappy laptop as my Qubes machine and its sitting infront of my keyboard, its so hard to type this guide, i will update this later today, so please be patient if you are reading this on the same day as the edit
8. update packages
|
10. finishing up (run commands one after another)
freshclam
clamscan -r /
11. exit the XTerm and shutdown net-dvm, make a clone of default-dvm named network-dvm and change the template of network-dvm to net-dvm.
12. shutdown sys-net and change the template from default-dvm to network-dvm. majority should be done right here, unless you want to go and help out sys-firewall too. IF you didnt choose to make it disposable, open a dom0 terminal and edit /var/lib/qubes/qubes.xml
sudo nano /var/lib/qubes/qubes.xml
scroll down until you find the actual properties of sys-net qube (might take a while, might not, depends on how good of an observer you are) and edit "class="AppVM"" to say DispVM. copy the entire autostart property line, the entire line of the property for autostart being true, and make a new line right below that property, paste in your copied property, and change the name from autostart to dispid, and change True to a unique value (just hit 4 random keys on your keyboard). CTRL + O to write out, and CTRL + X to exit. restart QubesOS, and now you can go change the template of sys-net to network-dvm, and if it doesnt work and it says no default dispid for sys-net and that sys-net is still an AppVM, set a different dispid than before.
| 9. exit the XTerm and shutdown net-dvm, make a clone of default-dvm named network-dvm and change the template of network-dvm to net-dvm.
10. shutdown sys-net and change the template from default-dvm to network-dvm.
|
this section is for sys-firewall, and is the section where your second template is needed, if you created it. if you didnt, and want to follow section 2, go create a new one.
1. get root terminal access since passwordless root is disabled by default
qvm-run -u root fw-dvm xterm
2. install packages
dnf install qubes-core-agent-networking iproute ufw clamav
3. if you are using sys-firewall for dom0 updates instead of sys-whonix, install dom0 update support
dnf install qubes-core-agent-dom0-updates
4. remove default rules. ufw doesnt interfere with the firewall shit that qubes has on by default, atleast with our ruleset, so dont worry.
ufw delete 1 (x4)
ufw default deny outgoing
ufw default allow incoming
ufw allow out to <ip of sys-net>
ufw deny in from <ip of sys-net>
systemctl enable ufw
ufw enable
5. update packages and start clamav
dnf update && dnf upgrade
freshclam
clamscan -r /
clamscan
6. (optional) install lynis and audit system
dnf install lynis
lynis audit system
7. you know the drill, clone default-dvm again, name it firewall-dvm, change firewall-dvm template to fw-dvm, shutdown sys-firewall, change template of sys-firewall to firewall-dvm, and youre good to go.
EOF | this section is SUPPOSED to be for sys-firewall. maybe coming soon, depends on how long i procrastinate disecting sys-firewall. (what i wrote here before was a disaster). do not change sys-firewall yet. |