From 60ebd61b72856b5ff17cc31efac5ebe56297851e Mon Sep 17 00:00:00 2001 From: linse Date: Tue, 19 May 2020 16:48:48 +0200 Subject: [PATCH] Update documentation. --- README.md | 14 +- diagrams/components.svg | 326 +++++++++++++++++++++++----------------- 2 files changed, 193 insertions(+), 147 deletions(-) diff --git a/README.md b/README.md index be85574..0c22988 100644 --- a/README.md +++ b/README.md @@ -3,8 +3,6 @@ A unikernel that can run as a QubesOS ProxyVM, replacing `sys-firewall`. It uses the [mirage-qubes][] library to implement the Qubes protocols. -Note: This firewall *ignores the rules set in the Qubes GUI*. See `rules.ml` for the actual policy. - See [A Unikernel Firewall for QubesOS][] for more details. @@ -63,8 +61,8 @@ Run this command in dom0 to create a `mirage-firewall` VM using the `mirage-fire qvm-create \ --property kernel=mirage-firewall \ --property kernelopts=None \ - --property memory=32 \ - --property maxmem=32 \ + --property memory=64 \ + --property maxmem=64 \ --property netvm=sys-net \ --property provides_network=True \ --property vcpus=1 \ @@ -106,7 +104,7 @@ This diagram show the main components (each box corresponds to a source `.ml` fi

Ethernet frames arrives from client qubes (such as `work` or `personal`) or from `sys-net`. -Internet (IP) packets are sent to `firewall`, which consults `rules` to decide what to do with the packet. +Internet (IP) packets are sent to `firewall`, which consults the NAT table and the rules from QubesDB to decide what to do with the packet. If it should be sent on, it uses `router` to send it to the chosen destination. `client_net` watches the XenStore database provided by dom0 to find out when clients need to be added or removed. @@ -167,10 +165,8 @@ This takes a little more setting up the first time, but will be much quicker aft # Testing if the firewall works -Build the test unikernel in the test directory. -Install it to a vm which has the firewall as netvm. -Set the rules for the testvm to "textfile". -Run the test unikernel. +A unikernel which tests the firewall is available in the `test/` subdirectory. +To use it, run `test.sh` and follow the instructions to set up the test environment. # Security advisories diff --git a/diagrams/components.svg b/diagrams/components.svg index 1e996b1..2d69f9d 100644 --- a/diagrams/components.svg +++ b/diagrams/components.svg @@ -1,149 +1,199 @@ - + - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - + + - - - + + + + + - - - - - - - -l -y -s -t -k -r -u -l -n -_ -r -i -e -l -o -n -k -n -o -o -e -e -e -l -s -t -( -f -p -i -i -o -w -t -u -n -- -a -o -X -S -r -m -u -c -r -] -e -r -i -n -s -t -e -k -s -w -e -. -n -e -l -r -s -e -s -r + + + + + + + + + +r +e +n +k +e +t +t +w +o +w +e +c +n +n +o +S +( +n +t +0 +] +n +m +. +B +k +t l -[ -. -p -n -t -o -o -c -h -. -c -t -m +k +i +e +r +c +s +b +i +d +e +n +t +h +b +l +k +- +f +a +e +n +s +i +s +r +. +e +o +o +u +n +c +a +l +o +) +- +i +l +r +e +m +i +s +r +e +l +D +c +[ +n +s +o +f +- +- +l +o +r +t +c +_ +i +m +u +Q +t +e +a +h +. +t +p +l +n +r +e +p +s +n +n +y +X +e +u +s +e +t +h +o +u +a +t +r +r a -e -r -d -0 -) +o +t +- +e +f