-----------------------------------------------------getoutofmyla(w)n----------------------------------------------------------

LAN is an area where qubesos lacks at security and makes zero real promises. Qubesos using sys-firewall is good for protecting your appVMs. It is not bad and helps for sure but it is virtually useless for protecting your LANs. A pre-configured (in my opinion) firewall ruleset is also needed and this is where the qubesos lacks at honestly. The template below can be used to fix this.

Internal LAN: The LAN within the qubes os system. The qubesos networking system is a LAN within a LAN, due to the existence of sys-firewall and sys-net type of netVMs.

External LAN: The LAN outside the qubes os system, between your device where the qubesos runs and other devices on the same LAN.

GO OFFLINE PRIOR TO EXECUTING THESE COMMANDS IF POSSIBLE AND UNCOMMENT THE LINES BELOW. THEY ARE KEPT COMMENTED TO PREVENT THEIR ACCIDENTAL EXECUTION. > #qvm-firewall [VM-name] reset [DO NOT RUN THIS COMMAND IF YOU HAVE RULES THAT YOU WANT TO PRESERVE.] > #qvm-firewall [VM-name] --reload> #qvm-firewall [VM-name] del --rule-no 0 > #qvm-firewall [VM-name] add accept 192.168.1.1 icmp > #qvm-firewall [VM-name] add accept 192.168.1.1 specialtarget=dns > #qvm-firewall [VM-name] add drop 192.168.1.0/24 > #qvm-firewall [VM-name] add accept [sys-firewall IP] icmp > #qvm-firewall [VM-name] add accept [sys-firewall IP] specialtarget=dns > #qvm-firewall [VM-name] add accept [sys-net IP] icmp > #qvm-firewall [VM-name] add accept [sys-net IP] specialtarget=dns > #qvm-firewall [VM-name] add drop 10.137.0.0/16

> #qvm-firewall [VM-name] add drop 10.138.0.0/16> #qvm-firewall [VM-name] add accept [IF YOU USE A FIREWALL TO BLOCK WEBSITES, DO NOT ADD THIS COMMAND IMMEDIATELY BUT INSTEAD ADD SUCH RULES PRIOR TO ADDING "add accept" COMMAND FINALLY.]

> #qvm-firewall [VM-name] --reload

If you want a script-ed version of this though, you can bulk replace the VM-names and utilize ctrl+c + ctrl +v to create a text file.

After that you would run "chmod +x" with /path/to/name-of-the-script and then run the script. The script won't require root.

PLEASE READ THE WARNINGS BELOW:Reboot ALL virtual machines for whom the firewall rules are changed for after the last command.

If possible also reboot all the VMs along the connection pathway. This includes sys-net too.Due to the way the qubesOS handles the connections, the network rules are enforced in the netVM of a qube what this means is that you have to apply the firewall rules ideally for all VMs that connect to the network whether directly or indirectly through a proxy that the qubesos labels a "netvm". If this cannot be done, apply the rules at the most granular level. Instead of changing the rule of sys-firewall as an example, focus on individual appVMs.

REMEMBER: you are not changing the rules for the VM that you intend to, but rather for the netVM of that VM, because it is where they are actually enforced.

kali > sys-firewall > sys-net > router > modem > ISP > website (simplified)

In the simplified setup above, if rules are applied only for the sys-firewall with the kalivm unchanged (accept all postrouting/forwarded connections) then since the rules are enforced at the sys-net, there might exist a slight risk of kali being able to communicate with another machine (suppose an ubuntu) that also happens to connect to the sys-firewall. sys-firewall forward chain is set to drop in sys-firewall, but again i did not say that risk is huge, it honestly is minimal but i believe that it exists and this script blocks not only LAN but also access to the router too.

SUPER IMPORTANT WARNING:If the LAN IPs are exposed to a an appVM even for once, you have to block all access to the LAN and then restart the appVM and its netVM/connection pathways. Because otherwise the rules may not apply for unknown reasons. sys-firewall's default nftables chains show no "ct state established,related" kind of a command that may signal this with the policy accept. Postrouting chains are clear of such a flag even if it has a policy accept option. I personnaly don't know why this happens.