[Contribution] Qubes-mirage-firewall kernel or template #7884
Labels
C: contrib package
community dev
This is being developed by a member of the community rather than a core Qubes developer.
P: default
Priority: default. Default priority for new issues, to be replaced given sufficient information.
S: needs review
Status: needs review. Core devs must review contributed code for potential inclusion in Qubes OS.
T: enhancement
Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Comments
palainp
added
P: default
andrewdavidwong
added
C: networking
community dev
|
Hi, if we can do anything to help for the review process don't hesitate :) |
Closed
|
As long this issue is open, here are scripts for installing the mirage firewall: Saltstack script - install and update to the latest version. Only hash sum of the build is verified - no further security measures: Based on this bash script: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dev: @hannesm , @palainp
PoC: https://github.com/mirage/qubes-mirage-firewall
The problem you're addressing (if any)
The Qubes Mirage firewall aims to provide a unikernel for the firewalling task inside Qubes, allowing to replace the current Linux kernel firewall.
The solution you'd like
The Qubes-Mirage-Firewall is binary reproducible. We have a CI system based on GitHub actions that ensures this reproducibility. We also gather the build input for each build on a daily basis. See e.g. the build https://builds.robur.coop/job/qubes-firewall/build/14878d91-62b2-4ad8-bde5-acb23f6c6575 that contains:
Since the OCaml ecosystem is moving, and the qubes-mirage-firewall depends on several OCaml libraries, we do daily rolling builds on builds.robur.coop. Each qubes-mirage-firewall will have the system-packages and OCaml sources annotated for reproducing the exact same binary.
We can in the future build templates with qubes-builder-mirage (but have not tested recently) and the template can boot with pvgrub2-pvh (unfortunately we still have an issue with template postint scripts :/).
The current state of qubes mirage firewall is usable as a daily firewall (there still some work to be done for allowing uplink to be dynamically changed, this will also eventually permit to use a BSD AppVM as net-vm, and performances are not so far from a Linux kernel firewall (iperf on two AppVM, a firewall between, we have a ratio around 75% (TCP) and 90+% (UDP)).
Users are often asking for an easier way to install the firewall than the actual "copy from AppVM to dom0".
The value to a user, and who that user might be
The benefits are a fastest boot time, a less memory footprint and a completely different codebase than the actual Linux kernel firewall which should reduce the possibiliy of remote exploit usages.
Reception on the qubes-devel list (https://groups.google.com/g/qubes-devel/c/ZcR01kc3dz4) and as well on the Qubes forum (https://forum.qubes-os.org/t/questions-about-mirage-firewall/11252/4 and https://forum.qubes-os.org/t/mirage-firewall-0-8-3-released/14774/2) and on github (mirage/qubes-mirage-firewall#115) let us think that this firewall can find some value to users.
Suggestions to improve qubes-mirage-firewall are more than welcome!
The text was updated successfully, but these errors were encountered: