-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 11/01/2017 12:38 PM, ludwig jaffe wrote:
> Hi I found an interesting approach of having a small unikernel
> firewall, that does not eat up too much RAM, especially useful for
> a laptop and also as there is a different ip-stack than in Linux
> one has an advantage against common errors: would be nice to have
> the mirage-os based firewall as an install option, by downloading
> a signed template with a tested mirage-os based firewall.
>
> Is there anyone who has experience with it? I would like to try it
> and help developing it further. Who else wants?
>
> Cheers,
>
> Ludwig
Hi,
I discovered it when talex released last version. I am trying to store
rules dynamically in memory (which seems near achieved) and compatible
with Qubes firewall management (which seems the hard part).
I just rewrite the hard coded firewall rules as a list of rules which
can be parsed by the firewall (except blocking traffic between VMs, it
stills hard coded).
What I don't know yet is how to handle QubesDB updates and parse them.
It not seem too much difficult but this is my first contact with OCaml :
)
If you want take a look
https://github.com/donob4n/qubes-mirage-firewall
It's near useless yet (compared to original version) except you find
easier to define rules in the list format:
{ src = None; dst = Some `NetVM; sport = None; dport = None; proto =
None ; action = `NAT };
'None' is equivalent to 'ANY' and if you define some field you must
add 'Some' since rule fields are defined as 'Option'.
Also you should check cfcs version:
https://github.com/cfcs/qubes-mirage-firewall/tree/user_supplied_rules
It uses modules.img file for store the rules. More flexible than talex
version since you don't need rebuild but I think you need to reboot
the vm for apply new rules. It uses BSD PF format:
https://github.com/cfcs/qubes-mirage-firewall/blob/user_supplied_rules/R
ULES.JSON
I will try to get some time and progress on it. At least for learn
some OCaml and Qubes internals.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlp9c00ACgkQFBMQ2OPt
CKUMBhAAjNw2kVyGO3Ugh2AWC/7hXNzTB4ovw71BmPLXcB11n87ThO6L9mW7Xhaa
03xgJshuDE7+Y7Zk0QU1mcCiDsT/NCFh60zHskoUmWG1UtnKD0WoYF4J/IK7gtmj
EfxV0iYFRXk2I0rjnIb9JUFteKXNB6eaLt9APhYJPUxrLyivQc8SlRdWpYs4DdUY
72/Sijgs9g0g7dNMP4+dfjvlD3491MQN18cHaoXXEePq0hLvBMw+DiCkzi/rJw9v
pxSqHIvscJOiqd+d20cjEAQvptUTgZsS4ek8j8UubJgISft6P0yLLK5FlMwzLcdK
/cNQPb1KhzQdxsHmC6Ar48b2rNPgD3+8XLpNCALszMNL+0OrhalMMxN914fSxAB8
us2NIfjp5e/N4XukuBr5oc24VbPJ0wurblxjL9aCrrJGUTuF9f3+dJfKsz7afJbk
Xrb7rpyl3KUM/hJYWFeYFlcigIrxlFMkofrC++4QNwE88iVrcMZTsuDgZc35coX8
P7x9Gy0GMM0upjgWwTAfMCvn8P5xWRliAPFT373NDHMq5kOuqo6KANnaZZPLEnZ1
UAvpdyHdWqtIwRngYCFF5XdmiHCjRw0FqIcyQdiDq1ppIbySgA5fR4Q0VsC8aJip
ZMNXYCt8JjtpT938fH6eRI4Y8rV2ZszWwg9g6fYAhMzdfBYqMRg=
=S8NZ
-----END PGP SIGNATURE-----