The sys-net running on a Fedora template isn't secure enough. It is not hardened in any way. If it's connected directly to the internet, it is at least vulnerable to DoS attacks, but that's just the beginning of the problem. The more protocols and ports you use, the larger the attack surface becomes.
The biggest issue is that the root account has no password, making it easy for hackers to target your machine. Once they gain access to sys-net, they can easily move to other VMs for the same reason. Unless everything is done in disposable VMs, they could establish a persistent presence. Using OpenBSD for sys-net could help strengthen defenses against these local network threats.
| OpenBSD provides high-quality driver code, strong security features, good hardware support, low resource use, and a smaller attack surface compared to Linux. Using OpenBSD for sys-net adds important diversity to your network setup. For example, if there’s a major exploit in the Linux distribution, using OpenBSD alongside Linux means that an attacker would need to find two separate vulnerabilities to compromise the system.
Additionally, a standard Fedora template includes many packages that you might not need. While some might suggest using a minimal template, it’s worth asking: why not go further and use a more secure operating system? Choosing OpenBSD not only reduces potential risks but also strengthens the overall security of your network. This way, you can take advantage of a secure OS while avoiding unnecessary vulnerabilities.
|
| # Firewall Configuration
The sys-firewall requires specific configuration to effectively route traffic between Qubes and AppVM. Unfortunately, I did not test this with sys-firewall. Instead, I went with **[qubes-mirage-firewall](https://github.com/mirage/qubes-mirage-firewall)**, which is relatively easy to set up. If anyone has successfully configured sys-firewall, please share your method so we can consider adding it to the guide.
Setup instructions from qubes-mirage-firewall on their GitHub
>
> Configure firewall with OpenBSD-like netvm
>
> OpenBSD is currently unable to be used as netvm, so if you want to use a BSD as your sys-net VM, you'll need to set its netvm to qubes-mirage-firewall (see [#146](https://github.com/mirage/qubes-mirage-firewall/issues/146) for more information). That means you'll have `AppVMs -> qubes-mirage-firewall <- OpenBSD` with the arrow standing for the netvm property setting.
>
> In that case you'll have to tell qubes-mirage-firewall which AppVM client should be used as uplink:
>
> ```
> qvm-prefs --set mirage-firewall -- kernelopts '--ipv4=X.X.X.X --ipv4-gw=Y.Y.Y.Y'
> ```
>
> with `X.X.X.X` the IP address for mirage-firewall and `Y.Y.Y.Y` the IP address of your OpenBSD HVM.
Here are some resources for setting up sys-firewall and routing traffic successfully. However, please note that these resources may be outdated and likely require some rework:
https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes (not outdated)
https://github.com/jcholsap/freemod/issues/1#issue-1016495279 (outdated)
|