"getoutofmyla(w)n" template to block internal and external LAN access in qubesos revisions

Go back to topic: "getoutofmyla(w)n" template to block internal and external LAN access in qubesos

  1. v9 anchor; v9 full version
  2. v8 anchor; v8 full version
  3. v7 anchor; v7 full version
  4. v6 anchor; v6 full version
  5. v5 anchor; v5 full version
  6. v4 anchor; v4 full version
  7. v3 anchor; v3 full version
  8. v2 anchor; v2 full version

Revision #9

Edited on
2026-03-01
Edited by user
reseterror
update:updated for qubesos virtual dns servers.update:updated for qubesos virtual dns servers. > qvm-firewall [VM-name] reset > qvm-firewall [VM-name] --reload > qvm-firewall [VM-name] del --rule-no 0 > qvm-firewall [VM-name] add drop > qvm-firewall [VM-name] --reload you can run the script above but keep in mind that it will break all network connections. you have to allow icmp and dns to sys-fw, sys-net, to virtual dns and the 192.168.1.1 (router address) to not break it. added this part because unman (naively) believes that the icmp/dns has to be blocked too, so if your belief is similar run the commands above but don't be surprised when network connection is broken.

Revision #8

Edited on
2026-03-01
Edited by user
reseterror

Revision #7

Edited on
2026-02-27
Edited by user
reseterror
> #qvm-firewall add accept 10.139.1.1 icmp > #qvm-firewall add accept 10.139.1.1 specialtarget=dns > #qvm-firewall add accept 10.139.1.2 icmp > #qvm-firewall add accept 10.139.1.2 specialtarget=dns > #qvm-firewall add drop 10.139.0.0/8. > #qvm-firewall [VM-name] add drop 10.137.0.0/16 > #qvm-firewall [VM-name] add accept 10.139.1.1 icmp > #qvm-firewall [VM-name] add accept 10.139.1.1 specialtarget=dns > #qvm-firewall [VM-name] add accept 10.139.1.2 icmp > #qvm-firewall [VM-name] add accept 10.139.1.2 specialtarget=dns > #qvm-firewall [VM-name] add drop 10.137.0.0/16.
> #qvm-firewall [VM-name] add drop 10.139.1.0/24

Revision #6

Edited on
2026-02-27
Edited by user
reseterror
> #qvm-firewall add accept 10.139.1.1 icmp > #qvm-firewall add accept 10.139.1.1 specialtarget=dns > #qvm-firewall add accept 10.139.1.2 icmp > #qvm-firewall add accept 10.139.1.2 specialtarget=dns > #qvm-firewall add drop 10.139.0.0/8.
SUPER IMPORTANT WARNING:If the LAN IPs are exposed to an appVM even for once, you have to disconnect the VMs from their netvm, reset their rules & reload them and then shutdown/re-start or reboot the appVM. Ideally do this a few times just to be sure. Only after this is done you should apply the rules above. Because otherwise the rules may not apply for unknown reasons. sys-firewall's default nftables chains show no "ct state established,related" kind of a command that may signal this with the policy accept. Postrouting chains are clear of such a flag even if it has a policy accept option. I personnaly don't know why this happens.SUPER IMPORTANT WARNING:If the LAN IPs are exposed to an appVM even for once, you have to disconnect the VMs from their netvm, reset their rules & reload them and then shutdown/re-start or reboot the appVM. Ideally do this a few times just to be sure. Only after this is done you should apply the rules above. Because otherwise the rules may not apply for unknown reasons. sys-firewall's default nftables chains show no "ct state established,related" kind of a command that may signal this with the policy accept. Postrouting chains are clear of such a flag even if it has a policy accept option. I personnaly don't know why this happens. update:updated for qubesos virtual dns servers.

Revision #5

Edited on
2026-02-27
Edited by user
reseterror
LAN is an area where qubesos lacks at security and makes zero real promises. Qubesos using sys-firewall is good for protecting your appVMs. It is not bad and helps for sure but it is virtually useless for protecting your LANs. A pre-configured (in my opinion) firewall ruleset is also needed and this is where the qubesos lacks at honestly. Most novice users connect their devices automatically to LAN without running scripts and a pre-configured ruleset is necessary. However as a manual fix in the meanwhile the template below can be used to solve this problem. Once configured the firewall rules will remain active forever. LAN is an area where qubesos lacks at security and makes zero real promises. Qubesos using sys-firewall is good for protecting your appVMs. It is not bad and helps for sure but it is virtually useless for protecting your LANs. A pre-configured (in my opinion) firewall ruleset is also needed and this is where the qubesos lacks at honestly. Most novice users connect their devices automatically to LAN without running scripts and a pre-configured ruleset is necessary. However as a manual fix in the meanwhile the template below can be used to solve this problem. Once configured the firewall rules will remain active forever if not cot changed in some other way.
> #qvm-firewall [VM-name] --reload> #qvm-firewall [VM-name] del --rule-no 0 > #qvm-firewall [VM-name] --reload > #qvm-firewall [VM-name] del --rule-no 0
SUPER IMPORTANT WARNING:If the LAN IPs are exposed to a an appVM even for once, you have to block all access to the LAN and then restart the appVM and its netVM/connection pathways. Because otherwise the rules may not apply for unknown reasons. sys-firewall's default nftables chains show no "ct state established,related" kind of a command that may signal this with the policy accept. Postrouting chains are clear of such a flag even if it has a policy accept option. I personnaly don't know why this happens.SUPER IMPORTANT WARNING:If the LAN IPs are exposed to an appVM even for once, you have to disconnect the VMs from their netvm, reset their rules & reload them and then shutdown/re-start or reboot the appVM. Ideally do this a few times just to be sure. Only after this is done you should apply the rules above. Because otherwise the rules may not apply for unknown reasons. sys-firewall's default nftables chains show no "ct state established,related" kind of a command that may signal this with the policy accept. Postrouting chains are clear of such a flag even if it has a policy accept option. I personnaly don't know why this happens.

Revision #4

Edited on
2026-02-27
Edited by user
reseterror
LAN is an area where qubesos lacks at security and makes zero real promises. Qubesos using sys-firewall is good for protecting your appVMs. It is not bad and helps for sure but it is virtually useless for protecting your LANs. A pre-configured (in my opinion) firewall ruleset is also needed and this is where the qubesos lacks at honestly. The template below can be used to fix this. LAN is an area where qubesos lacks at security and makes zero real promises. Qubesos using sys-firewall is good for protecting your appVMs. It is not bad and helps for sure but it is virtually useless for protecting your LANs. A pre-configured (in my opinion) firewall ruleset is also needed and this is where the qubesos lacks at honestly. Most novice users connect their devices automatically to LAN without running scripts and a pre-configured ruleset is necessary. However as a manual fix in the meanwhile the template below can be used to solve this problem. Once configured the firewall rules will remain active forever.
> #qvm-firewall [VM-name] add drop 10.138.0.0/16> #qvm-firewall [VM-name] add accept [IF YOU USE A FIREWALL TO BLOCK WEBSITES, DO NOT ADD THIS COMMAND IMMEDIATELY BUT INSTEAD ADD SUCH RULES PRIOR TO ADDING "add accept" COMMAND FINALLY.] > #qvm-firewall [VM-name] add drop 10.138.0.0/16 > #qvm-firewall [VM-name] add accept [IF YOU USE A FIREWALL TO BLOCK WEBSITES, DO NOT ADD THIS COMMAND IMMEDIATELY BUT INSTEAD ADD SUCH RULES PRIOR TO ADDING "add accept" COMMAND FINALLY.]

Revision #3

Edited on
2026-02-27
Edited by user
reseterror
> #qvm-firewall [VM-name] --reload> #qvm-firewall [VM-name] del --rule-no 0> #qvm-firewall [VM-name] add accept 192.168.1.1 icmp > #qvm-firewall [VM-name] --reload> #qvm-firewall [VM-name] del --rule-no 0 > #qvm-firewall [VM-name] add accept 192.168.1.1 icmp

Revision #2

Edited on
2026-02-27
Edited by user
reseterror
-----------------------------------------------------getoutofmylawn---------------------------------------------------------- -----------------------------------------------------getoutofmyla(w)n---------------------------------------------------------- LAN is an area where qubesos lacks at security and makes zero real promises. Qubesos using sys-firewall is good for protecting your appVMs. It is not bad and helps for sure but it is virtually useless for protecting your LANs. A pre-configured (in my opinion) firewall ruleset is also needed and this is where the qubesos lacks at honestly. The template below can be used to fix this.