mirage-os firewall. Lets integrate it into qubes-os.
458 views
Skip to first unread message
ludwig jaffe
Nov 1, 2017, 7:54:40 AM11/1/17
to qubes-devel
Hi I found an interesting approach of having a small unikernel (mirage-os) firewall,
that does not eat up too much RAM, especially useful for a laptop and also
as there is a different ip-stack than in Linux one has an advantage against
common errors:
(if there is a flaw in the linux kernel it affects sys-net and sys-firewall,
if there is a flaw in uni-kernel-firewall it only affects the firewall and if
there is a flaw in the kernel then it affects sys-net and not sys-firewall!)
that does not eat up too much RAM, especially useful for a laptop and also
as there is a different ip-stack than in Linux one has an advantage against
common errors:
(if there is a flaw in the linux kernel it affects sys-net and sys-firewall,
if there is a flaw in uni-kernel-firewall it only affects the firewall and if
there is a flaw in the kernel then it affects sys-net and not sys-firewall!)
look here for the project:
http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/
https://github.com/talex5/qubes-mirage-firewall.git
would be nice to have the mirage-os based firewall as an install option,
by downloading a signed template with a tested mirage-os based firewall.
Is there anyone who has experience with it?
I would like to try it and help developing it further. Who else wants?
Cheers,
Ludwig
ludwig jaffe
Nov 1, 2017, 8:37:27 AM11/1/17
to qubes-devel
Hi,
I tried it and it works!
Install docker to fedora-25 and have a development VM here based on fedora-25.
Then run the docker script and wait lon time. I downloads a lot of stuff.
Also I had ocaml preinstalled on my fedora-25 before, but maybe it is not required
as the docker script pulls it all.
Then follow the readme to deploy the tar.bz2 archive and to build the proxy vm.
So lets test it and play around.
If you trust me, you can play around with my tar.bz2 archive.
Cheers,
Ludwig
md5sum mirage-firewall.tar.bz2
62f7e10a81c80f45bb886b6f0c8c1aaf mirage-firewall.tar.bz
I tried it and it works!
Install docker to fedora-25 and have a development VM here based on fedora-25.
Then run the docker script and wait lon time. I downloads a lot of stuff.
Also I had ocaml preinstalled on my fedora-25 before, but maybe it is not required
as the docker script pulls it all.
Then follow the readme to deploy the tar.bz2 archive and to build the proxy vm.
So lets test it and play around.
If you trust me, you can play around with my tar.bz2 archive.
Cheers,
Ludwig
md5sum mirage-firewall.tar.bz2
62f7e10a81c80f45bb886b6f0c8c1aaf mirage-firewall.tar.bz
ser...@da.matta.nom.br
Nov 5, 2017, 9:45:09 AM11/5/17
to qubes-devel
Dear Ludwig,
It did not works here. I checked all your instructions on Readme.md.
Maybe because I am using Qubes 4 RC2 with pv appvms? My motherboard has no iommu support so I am using pv, for a while - I will change my motherboard in a week.
Mirage do not start as hvm (error Start failed: internal error: libxenlight failed to create new domain 'mirage'). It starts as pv, but my appvms do not starts if I change them to use mirage, with the same error.
I am using dsnmasq and tinyproxy on sys-firewall and I will not be able to do it with mirage. And I know iptables but I did not see how use Ocaml. I know mirage uses just few resources, but maybe it has to show other advantages to get more people envolved.
Thank you,
Sergio Matta
It did not works here. I checked all your instructions on Readme.md.
Maybe because I am using Qubes 4 RC2 with pv appvms? My motherboard has no iommu support so I am using pv, for a while - I will change my motherboard in a week.
Mirage do not start as hvm (error Start failed: internal error: libxenlight failed to create new domain 'mirage'). It starts as pv, but my appvms do not starts if I change them to use mirage, with the same error.
I am using dsnmasq and tinyproxy on sys-firewall and I will not be able to do it with mirage. And I know iptables but I did not see how use Ocaml. I know mirage uses just few resources, but maybe it has to show other advantages to get more people envolved.
Thank you,
Sergio Matta
tal...@gmail.com
Dec 4, 2017, 10:52:32 AM12/4/17
to qubes-devel
On Sunday, November 5, 2017 at 2:45:09 PM UTC, ser...@da.matta.nom.br wrote:
> Dear Ludwig,
>
> It did not works here. I checked all your instructions on Readme.md.
> Maybe because I am using Qubes 4 RC2 with pv appvms? My motherboard has no iommu support so I am using pv, for a while - I will change my motherboard in a week.
> Mirage do not start as hvm (error Start failed: internal error: libxenlight failed to create new domain 'mirage'). It starts as pv, but my appvms do not starts if I change them to use mirage, with the same error.
Hi. I just saw this thread.
> Dear Ludwig,
>
> It did not works here. I checked all your instructions on Readme.md.
> Maybe because I am using Qubes 4 RC2 with pv appvms? My motherboard has no iommu support so I am using pv, for a while - I will change my motherboard in a week.
> Mirage do not start as hvm (error Start failed: internal error: libxenlight failed to create new domain 'mirage'). It starts as pv, but my appvms do not starts if I change them to use mirage, with the same error.
I believe support for HVM guests was fixed on Nov 9th: https://github.com/talex5/qubes-mirage-firewall/pull/17
The firewall itself can only run as pv.
> I am using dsnmasq and tinyproxy on sys-firewall and I will not be able to do it with mirage. And I know iptables but I did not see how use Ocaml. I know mirage uses just few resources, but maybe it has to show other advantages to get more people envolved.
https://github.com/talex5/qubes-mirage-firewall/blob/master/rules.ml
The current set of actions is quite limited, but having a full programming language available might be useful if you want to do more complicated things.
Mirage does have a DHCP server library available, and I have wondered whether it would be useful to add that to the firewall, for guests that don't know about QubesDB.
Reply all
Reply to author
Forward
0 new messages