⚠️ This setup is only useful for people who want to block non-VPN / non-Tor traffic.
By default, Qubes OS checks for updates of qube's templates using running qubes themselves generating traffic through their current netvm. To some people, this can be seen as a privacy issue because queries Qubes OS's packages repository, which immediately flag the user as a Qubes OS user.
Even if you use sys-whonix or a VPN qube for all your qubes, there are 3 qubes that could leak network because they are before the VPN/Tor in the netvm chain:
Related to https://github.com/QubesOS/qubes-issues/issues/9338
The idea is to block all traffic generated by sys-usb, sys-firewall and sys-net, but still allow them to route traffic for Qubes so network still work. Although sys-usb should not have network, it is actually configure as a "providing network" qube for when you plug in an USB network adapter.
This is a software solution, this can not guarantee against leaks after an update or a misconfiguration. For a more leak-proof solution, the user should use a hardware gateway between Qubes OS and the real network to be block any unwanted traffic leak.
ℹ️ Disabling update check for these qubes may be enough. But an extra security is to block all traffic.
Run the commands in a terminal from dom0:
qvm-service sys-firewall qubes-update-check off
qvm-service sys-net qubes-update-check off
qvm-service sys-usb qubes-update-check off
qvm-service default-dvm qubes-update-check off # just in case
Add this to the file /rw/config/rc.local in the template named default-dvm:
if [ "$(qubesdb-read /name)" = "sys-firewall" ] || [ "$(qubesdb-read /name)" = "sys-net" ] || [ "$(qubesdb-read /name)" = "sys-usb" ]
then
sudo nft add chain ip qubes output '{type filter hook output priority 0; policy drop; }'
sudo nft add chain ip6 qubes output '{type filter hook output priority 0; policy drop; }'
fi
Restart the qubes.
If your sys-net is not disposable, apply the same instructions as explained for default-dvm but in the qube sys-net.