On Mon, Jul 12, 2021 at 11:02:51AM +0000, Michael Singer wrote: > Dear Qubes community, > > i am interested in your ideas on how you would set up a Qube as secure as > possible to connect to a single ordinary internet site (not a VPN network) > accessed directly via its IP address. > > My ideas are: > > 1) Edit the Qube's firewall via dom0 as follows: > > $dom0: qvm-firewall NAME-OF-QUBE del --rule-no 0 > $dom0: qvm-firewall NAME-OF-QUBE add --before 0 drop > $dom0: qvm-firewall NAME-OF-QUBE add --before 0 accept 127.127.127.127/32 > proto=tcp 443 > > 2) Go into the dom0-Qube settings and turn on the disable-dns-server service. > > With these two settings, there should really be no DNS traffic anymore, right? > > What else would you do? > > Best wishes > Michael Singer >
These are good. Disable all unnecessary services in the qube - that means almost all of them. Change the nft/iptables configuration on the qube itself - note that you can do this in `/rw/config/rc.local` but that is processed after the network comes up. You want to allow only outbound lo and to your target. Remove/overwrite /etc/resolv.conf You can also create an alias in /etc/hosts to avoid typing out the full IP address. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210714114023.GC13317%40thirdeyesecurity.org.
