Prevent Qubes OS clearnet leaks revisions

Go back to topic: Prevent Qubes OS clearnet leaks

  1. v6 anchor; v6 full version
  2. v5 anchor; v5 full version
  3. v4 anchor; v4 full version
  4. v3 anchor; v3 full version
  5. v2 anchor; v2 full version

Revision #6

Edited on
2025-01-24
Edited by user
solene
The idea is to block all traffic generated by sys-usb, sys-firewall and sys-net, but still allow them to route traffic for Qubes so network still work. The idea is to block all traffic generated by sys-usb, sys-firewall and sys-net, but still allow them to route traffic for Qubes so network still work. Although sys-usb should not have network, it is actually configure as a "providing network" qube for when you plug in an USB network adapter.

Revision #5

Edited on
2025-01-24
Edited by user
solene
sudo nft add chain ip6 qubes output '{type filter hook output priority 0; policy drop; }'

Revision #4

Edited on
2025-01-24
Edited by user
solene
Related to https://github.com/QubesOS/qubes-issues/issues/9338

Revision #3

Edited on
2025-01-24
Edited by user
solene
> :information_source: Disabling update check for these qubes may be enough. But an extra security is to block all traffic.

Revision #2

Edited on
2025-01-24
Edited by user
solene
if [ "$(hostname -s)" = "sys-firewall" ] || [ "$(hostname -s)" = "sys-net" ] || [ "$(hostname -s)" = "sys-usb" ] if [ "$(qubesdb-read /name)" = "sys-firewall" ] || [ "$(qubesdb-read /name)" = "sys-net" ] || [ "$(qubesdb-read /name)" = "sys-usb" ]