qubes-mirage-firewall 0.4
Thomas Leonard
https://github.com/talex5/qubes-mirage-firewall/releases/tag/v0.4
This is a unikernel that can run as a QubesOS ProxyVM, replacing sys-firewall. It may be useful if you want something smaller or faster-to-start than the Linux-based sys-firewall, are worried about possible attacks against Linux's C net-front code, or just like playing with unikernels.
Changes since 0.3:
- Add support for HVM guests (needed for Qubes 4). I don't use Qubes 4 myself yet, but other people have said it works now for them. Note that the firewall itself must still have virt_mode set to 'pv'.
- Add support for disposable VMs.
- Drop frames if an interface's queue gets too long.
- Show (log) the packet when failing to add a NAT rule. The previous message was just: WRN [firewall] Failed to add NAT rewrite rule: Cannot NAT this packet
For installation instructions, see:
https://github.com/talex5/qubes-mirage-firewall/blob/master/README.md
For a blog post explaining the background for this, with a walk-through of the code, see:
http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/
Foppe de Haan
Thanks, will probably try it out later this week. :)
donoban
> I'd like to announce the release of qubes-mirage-firewall 0.4:
>
> https://github.com/talex5/qubes-mirage-firewall/releases/tag/v0.4
>
> This is a unikernel that can run as a QubesOS ProxyVM, replacing sys-firewall. It may be useful if you want something smaller or faster-to-start than the Linux-based sys-firewall, are worried about possible attacks against Linux's C net-front code, or just like playing with unikernels.
>
I am thinking on testing it but I have no idea about unikernels and OCaml.
If I'm not wrong you have to configure the rules for the firewall before
building the kernel image? Once you start it you have no way for change
rules?
I don't know if I will have success with it and use it but thanks for
your effort.
donoban
"You can use any template, and make it standalone or not. It doesn’t
matter, since we don’t use the hard disk."
Well, in fact it matters, if you select standalone the template will be
copied wasting some space...
Thomas Leonard
> On 12/19/2017 08:05 PM, Thomas Leonard wrote:
> > I'd like to announce the release of qubes-mirage-firewall 0.4:
> >
> > https://github.com/talex5/qubes-mirage-firewall/releases/tag/v0.4
> >
> > This is a unikernel that can run as a QubesOS ProxyVM, replacing sys-firewall. It may be useful if you want something smaller or faster-to-start than the Linux-based sys-firewall, are worried about possible attacks against Linux's C net-front code, or just like playing with unikernels.
> >
>
> Hi,
>
> I am thinking on testing it but I have no idea about unikernels and OCaml.
>
> If I'm not wrong you have to configure the rules for the firewall before
> building the kernel image? Once you start it you have no way for change
> rules?
Yes. With Qubes 4, it should be possible to update the rules at runtime from QubesDB (see https://github.com/talex5/qubes-mirage-firewall/issues/24), but that isn't implemented yet.
Holger Levsen
> If I'm not wrong you have to configure the rules for the firewall before
> building the kernel image? Once you start it you have no way for change
> rules?
a year without modifying the rules in sys-firewall and now I have been
using qubes-mirage-firewall for two weeks with just the default rules
and am happy as well.
there is also
https://github.com/cfcs/qubes-mirage-firewall/commits/user_supplied_rules
though that's more of PoC quality atm.
;tl;dr: give qubes-mirage-firewall a try with the default rules.
--
cheers,
Holger
Thomas Leonard
On 21 December 2017 at 11:25, donoban <don...@riseup.net> wrote:
>
> I had no idea about unikerlels, mirageOS nor OCaml. I was pretty
> dissapointed because how to configure it was pretty hard to understand
> and some tests report more CPU usage than standard sys-firewall.
That's quite possible. I only have a regular (fibre) home broadband
connection, so speed of the firewall isn't an issue for me.
The default build doesn't enable many compiler optimisations. If you
need more performance, you could try building with an "flambda" build
of the OCaml compiler - that enables a load of extra optimisations. To
do that, replace the FROM line in the Dockerfile with:
FROM ocaml/opam:debian-9_ocaml-4.05.0_flambda
Then delete the "_build" directory and rebuild.
> However
> I took two hours or more reading your blog, I realized how interesting
> the idea is and I went to sleep thinking on how to do mirage-firewall
> configurable.
>
> First I thought on a configuration file but since there is no hard disk
> I realized the rules should be on memory. I don't know pretty anything
> about OCaml but I thought there should be something similar to arrays
> for storing them in memory.
Mirage has block drivers available, so you could read from a disk if
you want. As Holger Levsen mentioned, there is also a proof-of-concept
version that reads JSON rules from the modules.img file. However, it
would seem more sensible to make use of the new rules format in Qubes
4 in the longer term.
(and yes, OCaml does have arrays)
> I was thinking on do some kind of function for passing the rules via
> qrexec or directly the xen console. I want to have compatibility with
> the current Qubes 3.2 GUI, so I was thinking on doing some parser which
> runs on dom0, reads firewall.xml files and passes it to mirage-firewall.
>
> I work mainly on C# and C++. I wrote Perl and some Python years ago. I
> did something on Lisp on the career but I suppose that I don't remember
> anything. Maybe OCaml it's pretty hard but I'm decided to try it.
OCaml's syntax often confuses people at first, but it's fairly simple
after that. I'm fairly sure it's easier to learn than C++ or Perl,
anyway!
> I've tested Qubes 4, it worked for me but I felt pretty soon for use it
> daily so I switched to Qubes 3.2. I would prefer do mirage-firewall
> configurable for Qubes 3.2 but easy to add on Qubes 4.
>
> This is what I have on mind:
>
> - Some kind of struct/object for store firewall rules in memory
> - A func which parses this rules object for a packet
> - A func for add/delete/flush rules (called from qrexec or xen console
> or qubesdb)
>
> What do you think?
Sounds reasonable.
--
talex5 (GitHub/Twitter) http://roscidus.com/blog/
GPG: 5DD5 8D70 899C 454A 966D 6A51 7513 3C8F 94F6 E0CC
donoban
>> This is what I have on mind:
>>
>> - Some kind of struct/object for store firewall rules in memory
>> - A func which parses this rules object for a packet
>> - A func for add/delete/flush rules (called from qrexec or xen console
>> or qubesdb)
>>
>> What do you think?
>
> Sounds reasonable.
>
>
user_supplied_rules fork this weekend.
Roy Bernat
Hi All
i tried to install mirage-firewall followed by the Readme . and didn't succeed
to run the mirage firewall .
error : libxenlight failed to create new domain log
2017-12-22 19:13:01.320+0000: libxl: libxl_device.c:1235:device_hotplug_child_death_cb: script: Device /dev/mapper/snapshot-fd01:25956374-fd01:25956356-fd01:26346316 does not exists error
any help ?
donoban
>Hi All
>
>i tried to install mirage-firewall followed by the Readme . and didn't
>succeed
>to run the mirage firewall .
>
>error : libxenlight failed to create new domain log
>
>2017-12-22 19:13:01.320+0000: libxl:
>libxl_device.c:1235:device_hotplug_child_death_cb: script: Device
>/dev/mapper/snapshot-fd01:25956374-fd01:25956356-fd01:26346316 does not
>exists error
>
>any help ?
Roy Bernat
Followed the Readme . put the files inside the /var/lib/qubes/vm-kernels/ and create app vm 32 MB _ 1cpu choose the the mirage kernel . and trying to start .
Am i doing somethng wrong ?
i am using qubes 4 rc3
R
donoban
Roy Bernat
There is only hvm on qubes4 .
It should work also on version 4 . This was the new release all about .
Reynir Björnsson
I have been using the following script to create mirage qubes on R4-rc3.
setpref () {
qvm-prefs --set "$vm_name" "$1" "$2"
}
qvm-create --label "$color" "$vm_name"
setpref virt_mode pv
setpref kernel "$kernel"
setpref kernelopts ""
setpref memory "$memory"
setpref maxmem "$memory"
setpref vcpus 1
Roy Bernat
Not seems to work for me .
Ideas ?
R
donoban
>
> Hi
>
> Not seems to work for me .
>
> Ideas ?
>
> R
>
Roy Bernat
autostart D False
backup_timestamp D
debug - False
default_dispvm D fedora-25-dvm
default_user D user
gateway D
gateway6 D
include_in_backups D True
installed_by_rpm D False
ip D 10.137.0.33
ip6 D
kernel - mirage-firewall
kernelopts D nopat
klass D AppVM
label - green
mac D
maxmem - 320
memory - 32
name - mirage-firewall
netvm - sys-net
provides_network - False
qid - 33
qrexec_timeout D 60
stubdom_mem U
stubdom_xid D -1
template - fedora-26-minimal
template_for_dispvms D False
updateable D False
uuid - 378b816e-b7bf-4ec3-a22a-03218cc433bd
vcpus - 1
virt_mode - pv
visible_gateway D 10.137.0.5
visible_gateway6 D
visible_ip D 10.137.0.33
visible_ip6 D
visible_netmask D 255.255.255.255
xid D -1
Roy Bernat
Someone ???
ra...@ralphdouglass.com
Try changing provides_network:
$ qvm-prefs mirage-firewall provides_network True
ra...@ralphdouglass.com
$ cat create-mirage-firewall-vm
#!/bin/bash
qvm-create \
--property kernel=mirage-firewall \
--property kernelopts=None \
--property memory=32 \
--property maxmem=32 \
--property netvm=sys-net \
--property provides_network=True \
--property vcpus=1 \
--property virt_mode=pv \
--label=red \
--class StandaloneVM \
mirage-firewall
Roy Bernat
Great , it is working .
Thanks to all