[Contribution] qubes-network-topology #2575
Comments
andrewdavidwong
added
C: other
enhancement
help wanted
andrewdavidwong
added
community dev
andrewdavidwong
added
the
P: default
andrewdavidwong
changed the title
|
@Zrubi, would you be willing to package your contribution following our new package contribution procedure? |
|
Commenting to get this on my radar. @andrewdavidwong mind adding the UX tag to this? Seems like a nice add-on feature to a future redesign of Qubes Manager. |
Added! |
|
@ninavizz I also have some thoughts on this. For example, I've identified it as a trend users misunderstanding the purpose of |
|
@deeplow There's a separate issue I'd like to file to also create a new feature to give users insight into their hardware, w/o requiring CLI things. Like, I really need that info to know if I can upgrade my memory, what my storage situation is, and what my monitor support options are. I'll be creating a ticket for that, separately, but this feels like it'd fit perfectly into that. @marmarek could we pull the |
Yup. Exactly. I think this is one big security issue due to end-user misconfiguration caused to lack of awareness of the purpose of Correct:
Incorrect:
Otherwise the will be no network firewall isolation between VMs. But I need to do some more reading on this as well. |
|
On 12/31/20 12:28 AM, deeplow wrote:
@deeplow <https://github.com/deeplow> |sys-net| isn't what I connect
through?? Good to know!
Yup. Exactly. I think this is one big security issue due to end-user
misconfiguration due to lack of awareness of the purpose of
|sys-firewall|. As far as I understand it AppVMs should be connected to
like this:
*Correct:*
* |sys-net| <- |sys-firewall| <- |work|
* |sys-net| <- |sys-firewall| <- |sys-vpn| <- |work|
*Incorrect:*
* |sys-net| <- |work|
* |sys-net| <-|sys-vpn| <- |work|
Otherwise the will be no network firewall isolation between VMs. But I
need to do some more reading on this as well.
I would argue with this statement.
sys-firewall is just an example.
A default firewall VM created by the installer.
But you - or maybe just the geeks? :) - can run the same services -
including firewall - in any proxy vm.
So in practice, you can run the same services in your "sys-vpn" - or
whatever you call it. Then there will be NO security degradation, but
you just save an extra NAT and an extra VM with all it's resource needs.
If you completely skip the firewall, then you are right, one may 'miss'
the firewall services.
But in practice, you should do it on purpose, with your own reasons.
…--
Zrubi
|
Advanced users understand what they are doing and know which warnings they can dismiss. There is no need to protect those users. The key goal here would be to prevent less technical users from shooting themselves in the foot. |
|
Another alternative https://github.com/hexstore/qubes-proxy |
Community Dev: @Zrubi
PoC: https://gist.github.com/Zrubi/6229d5400bde987b1aa8da516553b909
Several users over the years have requested a feature that allows them to visualize the topography of their VMs in the form of a graph, and some of our users have even developed tools that accomplish these. We should consider selecting and integrating one of these tools into Qubes.
Discussion threads:
The text was updated successfully, but these errors were encountered: