Add support for Qubes firewall profiles/rulesets #9205
Labels
C: networking
P: default
Priority: default. Default priority for new issues, to be replaced given sufficient information.
T: enhancement
Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
The problem you're addressing (if any)
It's a common situation where you'll have multiple qubes that should have the same firewall rules.
For example:
Right now we have two options:
This way you can have a single sys-firewall to enforce the rules for all qubes.
But if you'll have a need to change the firewall rules later, e.g. add another local subnet to the allowed connections, then you'll have to manually edit all the qube's firewall rules to add this new rule change.
This is cumbersome.
This way you'll have two sys-firewall qubes so it'll consume more system resources compared with first option.
But this way editing firewall rules will be more convenient.
The solution you'd like
I suggest to add a feature to Qubes firewall so it'll be possible to create profiles/rulesets and use them to to set the qube's firewall rules.
E.g. create profile
allow-lan-ruleset
with these rules:And then select this profile for the qube to use.
This way you can edit this profile later and the changes will be propagated to all the qubes automatically.
Maybe also consider to not only select the firewall rules profile but also use these rulesets as parts of qube's firewall rules e.g. to be able to set qube firewall rules to be:
The value to a user, and who that user might be
User can easily and more flexibly manage the qubes firewall rules.
Related forum topic:
https://forum.qubes-os.org/t/chaining-sys-firewalls-vs-duplicating-firewalling-rules-on-many-qubes/26351
Completion criteria checklist
(This section is for developer use only. Please do not modify it.)
The text was updated successfully, but these errors were encountered: