> ⚠️ This setup is only useful for people who want to block non-VPN / non-Tor traffic.
By default, Qubes OS checks for updates of qube's templates using running qubes themselves generating traffic through their current netvm. To some people, this can be seen as a privacy issue because queries Qubes OS's packages repository, which immediately flag the user as a Qubes OS user.
Even if you use sys-whonix or a VPN qube for all your qubes, there are 3 qubes that could leak network because they are before the VPN/Tor in the netvm chain:
Related to https://github.com/QubesOS/qubes-issues/issues/9338
The idea is to block all traffic generated by sys-usb, sys-firewall and sys-net, but still allow them to route traffic for Qubes so network still work.
This is a software solution, this can not guarantee against leaks after an update or a misconfiguration. For a more leak-proof solution, the user should use a hardware gateway between Qubes OS and the real network to be block any unwanted traffic leak.
> ℹ️ Disabling update check for these qubes may be enough. But an extra security is to block all traffic.
Run the commands in a terminal from dom0:
qvm-service sys-firewall qubes-update-check off
qvm-service sys-net qubes-update-check off
qvm-service sys-usb qubes-update-check off
qvm-service default-dvm qubes-update-check off # just in case
Add this to the file /rw/config/rc.local in the template named default-dvm:
if [ "$(qubesdb-read /name)" = "sys-firewall" ] || [ "$(qubesdb-read /name)" = "sys-net" ] || [ "$(qubesdb-read /name)" = "sys-usb" ]
then
sudo nft add chain ip qubes output '{type filter hook output priority 0; policy drop; }'
fi
Restart the qubes.
If your sys-net is not disposable, apply the same instructions as explained for default-dvm but in the qube sys-net.