opened 04:10PM - 01 Oct 22 UTC
closed 07:14PM - 01 Oct 22 UTC
T: bug
P: default
R: not a bug
### Qubes OS release
R4.1
### Brief summary
When a VM is has option `pr…ovides network`, Qubes automatically enables IP forwarding.
### Steps to reproduce
Enable `provides network` in QVMM.
`cat /proc/sys/net/ipv4/ip_forward`
### Expected behavior
`0` - IP forwarding disabled.
### Actual behavior
`1` - IP forwarding enabled.
### Rationale
Instructions to setup Qubes sys-vpn VMs as well as VPN packages are difficult for users to set up.
When following [these Qubes VPN instructions](https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md) and simply forgetting to edit `/rw/config/rc.local`, the setup does nothing. The user won't be using the VPN. That would result in a leak, in an unexpected connection over clearnet that was expected to be routed over the VPN.
Also `/rw/config/rc.local` does not seem to be a safe mechanism to configure such scripts as networking might be up and functional before any scripts run from `/rw/config/rc.local` (firewall, vpn) have completed. Meanwhile, there could be leaks.
To avoid leaks, it would be much safer if IP forwarding was disabled by default. Then how could users use some specific things that require it? In these cases, for example in case of above linked instructions, it would be up the these instructions / the scripts to enable IP forwarding should that be required. That documentation / scripts should do so after the firewall has been load.
### Impact on Qubes-Whonix
This is primarily a general Qubes bug report. I.e. unspecific to Whonix.
The impact on Whonix is currently very little because Whonix explicitly ships a config that disabled IP forwarding as well as systemcheck checks if IP forwarding is disabled and would show a warning if it was accidentally enabled. However for defense in depth, it would be much better if Qubes would stick with Linux's default, which is to have IP forwarding disabled by default.