mirror of
https://github.com/mirage/qubes-mirage-firewall.git
synced 2025-04-25 09:29:19 -04:00
b15dd32df8
...we try to read them before they've been written to QubesDB, so we think there aren't any. To get useful results, we'll need to either delay the rule read, or implement a proper watcher for the firewall rules using the QubesDB watch interface.
101 lines
2.9 KiB
Bash
Executable File
101 lines
2.9 KiB
Bash
Executable File
#!/bin/bash
|
|
function explain_commands {
|
|
echo "1) Set up test qubes:"
|
|
echo "Follow the instructions in http://github.com/talex5/qubes-test-mirage to set up the boot-mirage and test-mirage scripts. Make two new qubes in dom0, called mirage-fw-test and fetchmotron, following the instructions for template and qube settings."
|
|
}
|
|
|
|
function explain_service {
|
|
echo "2) Set up rule update service:"
|
|
echo "In dom0, make a new service:
|
|
|
|
touch /etc/qubes-rpc/yomimono.updateFirewall
|
|
|
|
sudo bash
|
|
cd /etc/qubes-rpc
|
|
cat << EOF >> yomimono.updateFirewall
|
|
/usr/local/bin/update-firewall
|
|
EOF
|
|
|
|
Make a policy file for this service, YOUR_DEV_VM being the qube from which you build (e.g. ocamldev):
|
|
|
|
sudo bash
|
|
cd /etc/qubes-rpc/policy
|
|
cat << EOF >> yomimono.updateFirewall
|
|
YOUR_DEV_VM dom0 allow
|
|
|
|
make the update-firewall script:
|
|
|
|
sudo bash
|
|
cd /usr/local/bin
|
|
|
|
Copy the file update-rules.sh to /usr/local/bin.
|
|
In YOUR_DEV_VM, you can now change fetchmotron's firewall rules:
|
|
|
|
$ qrexec-client-vm dom0 yomimono.updateFirewall"
|
|
}
|
|
|
|
function explain_upstream {
|
|
echo "Also, start a test service on the upstream NetVM (which is available at 10.137.0.5 from the test unikernel)."
|
|
echo "For the UDP reply service:"
|
|
echo "Install nmap-ncat:"
|
|
echo "sudo dnf install nmap-ncat"
|
|
echo "Allow incoming traffic on the appropriate port:"
|
|
echo "sudo iptables -I INPUT -i vif+ -p udp --dport $udp_echo_port -j ACCEPT"
|
|
echo "Then run the service:"
|
|
echo "ncat -e /bin/cat -k -u -l 1235"
|
|
}
|
|
|
|
if ! [ -x "$(command -v boot-mirage)" ]; then
|
|
echo 'Error: boot-mirage is not installed.' >&2
|
|
explain_commands >&2
|
|
exit 1
|
|
fi
|
|
if ! [ -x "$(command -v test-mirage)" ]; then
|
|
echo 'Error: test-mirage is not installed.' >&2
|
|
explain_commands >&2
|
|
exit 1
|
|
fi
|
|
qrexec-client-vm dom0 yomimono.updateFirewall
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: can't update firewall rules." >&2
|
|
explain_service >&2
|
|
exit 1
|
|
fi
|
|
udp_echo_host=10.137.0.5
|
|
udp_echo_port=1235
|
|
reply=$(echo hi | nc -u $udp_echo_host -q 1 $udp_echo_port)
|
|
if [ "$reply" != "hi" ]; then
|
|
# TODO: if the development environment and the test unikernel have different
|
|
# NetVMs serving their respective firewalls, this can be a false negative.
|
|
# provide some nice way for the user to handle this -
|
|
# the non-nice way is commenting out this test ;)
|
|
echo "UDP echo service not reachable at $udp_echo_host:$udp_echo_port" >&2
|
|
explain_upstream >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "We're gonna set up a unikernel for the mirage-fw-test qube"
|
|
cd ..
|
|
mirage configure -t xen -l "*:debug" && \
|
|
make depend && \
|
|
make
|
|
if [ $? -ne 0 ]; then
|
|
echo "Could not build unikernel for mirage-fw-test qube" >&2
|
|
exit 1
|
|
fi
|
|
cd test
|
|
|
|
echo "We're gonna set up a unikernel for fetchmotron qube"
|
|
mirage configure -t qubes && \
|
|
make depend && \
|
|
make
|
|
if [ $? -ne 0 ]; then
|
|
echo "Could not build unikernel for fetchmotron qube" >&2
|
|
exit 1
|
|
fi
|
|
|
|
cd ..
|
|
test-mirage qubes_firewall.xen mirage-fw-test &
|
|
cd test
|
|
test-mirage http_fetch.xen fetchmotron
|