unikernel-firewall: anyone tried this / anyone who wants to help/ already hvm template to download?
ludwig jaffe
that does not eat up too much RAM, especially useful for a laptop and also
as there is a different ip-stack than in Linux one has an advantage against
common errors:
(if there is a flaw in the linux kernel it affects sys-net and sys-firewall,
if there is a flaw in uni-kernel-firewall it only affects the firewall and if
there is a flaw in the kernel then it affects sys-net and not sys-firewall!)
look here for the project:
http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/
https://github.com/talex5/qubes-mirage-firewall.git
would be nice to have the mirage-os based firewall as an install option,
by downloading a signed template with a tested mirage-os based firewall.
Is there anyone who has experience with it?
I would like to try it and help developing it further. Who else wants?
Cheers,
Ludwig
ludwig jaffe
Hi,
I tried it and it works!
Install docker to fedora-25 and have a development VM here based on fedora-25.
Then run the docker script and wait lon time. I downloads a lot of stuff.
Also I had ocaml preinstalled on my fedora-25 before, but maybe it is not required
as the docker script pulls it all.
Then follow the readme to deploy the tar.bz2 archive and to build the proxy vm.
So lets test it and play around.
If you trust me, you can play around with my tar.bz2 archive.
Cheers,
Ludwig
md5sum mirage-firewall.tar.bz2
62f7e10a81c80f45bb886b6f0c8c1aaf
donoban
Hash: SHA256
On 11/01/2017 12:38 PM, ludwig jaffe wrote:
> Hi I found an interesting approach of having a small unikernel
> firewall, that does not eat up too much RAM, especially useful for
> a laptop and also as there is a different ip-stack than in Linux
> a signed template with a tested mirage-os based firewall.
>
> Is there anyone who has experience with it? I would like to try it
> and help developing it further. Who else wants?
>
> Cheers,
>
> Ludwig
I discovered it when talex released last version. I am trying to store
rules dynamically in memory (which seems near achieved) and compatible
with Qubes firewall management (which seems the hard part).
I just rewrite the hard coded firewall rules as a list of rules which
can be parsed by the firewall (except blocking traffic between VMs, it
stills hard coded).
What I don't know yet is how to handle QubesDB updates and parse them.
It not seem too much difficult but this is my first contact with OCaml :
)
If you want take a look https://github.com/donob4n/qubes-mirage-firewall
It's near useless yet (compared to original version) except you find
easier to define rules in the list format:
{ src = None; dst = Some `NetVM; sport = None; dport = None; proto =
None ; action = `NAT };
'None' is equivalent to 'ANY' and if you define some field you must
add 'Some' since rule fields are defined as 'Option'.
Also you should check cfcs version:
https://github.com/cfcs/qubes-mirage-firewall/tree/user_supplied_rules
It uses modules.img file for store the rules. More flexible than talex
version since you don't need rebuild but I think you need to reboot
the vm for apply new rules. It uses BSD PF format:
https://github.com/cfcs/qubes-mirage-firewall/blob/user_supplied_rules/R
ULES.JSON
I will try to get some time and progress on it. At least for learn
some OCaml and Qubes internals.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlp9c00ACgkQFBMQ2OPt
CKUMBhAAjNw2kVyGO3Ugh2AWC/7hXNzTB4ovw71BmPLXcB11n87ThO6L9mW7Xhaa
03xgJshuDE7+Y7Zk0QU1mcCiDsT/NCFh60zHskoUmWG1UtnKD0WoYF4J/IK7gtmj
EfxV0iYFRXk2I0rjnIb9JUFteKXNB6eaLt9APhYJPUxrLyivQc8SlRdWpYs4DdUY
72/Sijgs9g0g7dNMP4+dfjvlD3491MQN18cHaoXXEePq0hLvBMw+DiCkzi/rJw9v
pxSqHIvscJOiqd+d20cjEAQvptUTgZsS4ek8j8UubJgISft6P0yLLK5FlMwzLcdK
/cNQPb1KhzQdxsHmC6Ar48b2rNPgD3+8XLpNCALszMNL+0OrhalMMxN914fSxAB8
us2NIfjp5e/N4XukuBr5oc24VbPJ0wurblxjL9aCrrJGUTuF9f3+dJfKsz7afJbk
Xrb7rpyl3KUM/hJYWFeYFlcigIrxlFMkofrC++4QNwE88iVrcMZTsuDgZc35coX8
P7x9Gy0GMM0upjgWwTAfMCvn8P5xWRliAPFT373NDHMq5kOuqo6KANnaZZPLEnZ1
UAvpdyHdWqtIwRngYCFF5XdmiHCjRw0FqIcyQdiDq1ppIbySgA5fR4Q0VsC8aJip
ZMNXYCt8JjtpT938fH6eRI4Y8rV2ZszWwg9g6fYAhMzdfBYqMRg=
=S8NZ
-----END PGP SIGNATURE-----