From e9e65f7da15decab7385f6bde8addacbf8f3cbd0 Mon Sep 17 00:00:00 2001 From: "Manuel Amador (Rudd-O)" Date: Tue, 6 Feb 2024 03:54:08 +0000 Subject: [PATCH] Improve documentation some more. --- README.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 05dee38..421d4db 100644 --- a/README.md +++ b/README.md @@ -38,15 +38,18 @@ connectivity for ProxyVMs and other user VMs alike. No provision is made for running a server in a virtualized environment, such that the server's ports are accessible by (a) other VMs (b) machines -beyond the perimeter of the NetVM. To the extent that such a thing is -possible, it is only possible by painstakingly maintaining firewall rules -for multiple VMs, which need to carefully override the existing firewall -rules, and require careful thought not to open the system to unexpected -attack vectors. The Qubes OS user interface provides no help either. +beyond the perimeter of the NetVM. By default, firewall rules in NetVMs +prevent traffic from reaching any VM attached to them. Furthermore, even +with custom, permissive firewall rules, the IP addresses of VMs attached +to any NetVM are not visible "on the other side of the NetVM", so firewall +rules can only help with something like DNAT. Finally, such custom firewalls +require careful thought not to open the system to unexpected attack vectors. +The Qubes OS user interface provides no means to set this up either. ### The Qubes network server networking model -Qubes network server builds on that. +Qubes network server builds on the Qubes security model and enhances it +to optionally permit traffic to user VMs. ![Qubes network server model](./doc/Qubes%20network%20server%20model.png) @@ -55,7 +58,8 @@ network servers in user VMs available to other machines, be them peer VMs in the same Qubes OS system or machines connected to a physical link shared by a NetVM. Those network server VMs also obey the Qubes OS outbound firewall rules controls, letting you run -services with outbound connections restricted. +services with outbound connections restricted using the standard Qubes OS +firewall system. This is all, of course, opt-in, so the standard Qubes OS network security model remains in effect until you decide to enable the feature on any