2023-11-13 09:33:28 -05:00
|
|
|
# sys-mirage-firewall
|
|
|
|
|
|
|
|
|
|
Mirage Firewall in Qubes OS.
|
|
|
|
|
|
|
|
|
|
## Table of Contents
|
|
|
|
|
|
2024-07-04 11:10:11 -04:00
|
|
|
* [Description](#description)
|
|
|
|
|
* [Installation](#installation)
|
|
|
|
|
* [Usage](#usage)
|
|
|
|
|
* [Credits](#credits)
|
2023-11-13 09:33:28 -05:00
|
|
|
|
|
|
|
|
## Description
|
|
|
|
|
|
2024-01-12 11:56:28 -05:00
|
|
|
Creates a Mirage Firewall qube named "disp-sys-mirage-firewall". It is an
|
|
|
|
|
OCaml program compiled to run as an operating system kernel, in this case, a
|
2023-11-13 09:33:28 -05:00
|
|
|
MirageOS unikernel replacement for the default firewall (sys-firewall). It
|
|
|
|
|
pulls in just the code it needs as libraries.
|
|
|
|
|
|
|
|
|
|
Contrary to a standard Linux Firewall, Mirage Firewall doesn't need a full
|
|
|
|
|
system to run an excessive resources.
|
|
|
|
|
|
|
|
|
|
You can't use Mirage Firewall to be the updatevm, use another qube instead.
|
|
|
|
|
|
|
|
|
|
## Installation
|
|
|
|
|
|
|
|
|
|
We have built the Unikernel locally and verified that the upstream checksum
|
|
|
|
|
and local checksum matched when comparing the same release.
|
|
|
|
|
|
2024-07-04 11:10:11 -04:00
|
|
|
* Top:
|
|
|
|
|
|
2023-11-13 09:33:28 -05:00
|
|
|
```sh
|
2024-02-23 10:54:35 -05:00
|
|
|
sudo qubesctl top.enable sys-mirage-firewall
|
|
|
|
|
sudo qubesctl state.apply
|
|
|
|
|
sudo qubesctl top.disable sys-mirage-firewall
|
2023-11-13 09:33:28 -05:00
|
|
|
```
|
|
|
|
|
|
2024-07-04 11:10:11 -04:00
|
|
|
* State:
|
|
|
|
|
|
2023-11-13 09:33:28 -05:00
|
|
|
<!-- pkg:begin:post-install -->
|
2024-07-04 11:10:11 -04:00
|
|
|
|
2023-11-13 09:33:28 -05:00
|
|
|
```sh
|
2024-02-23 10:54:35 -05:00
|
|
|
sudo qubesctl state.apply sys-mirage-firewall.create
|
2023-11-13 09:33:28 -05:00
|
|
|
```
|
2024-07-04 11:10:11 -04:00
|
|
|
|
2023-11-13 09:33:28 -05:00
|
|
|
<!-- pkg:end:post-install -->
|
|
|
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
|
2024-01-28 17:28:00 -05:00
|
|
|
Set qubes `netvm` to `disp-sys-mirage-firewall`:
|
2024-07-04 11:10:11 -04:00
|
|
|
|
2023-11-13 09:33:28 -05:00
|
|
|
```sh
|
2024-01-12 11:56:28 -05:00
|
|
|
qvm-prefs --set QUBE netvm disp-sys-mirage-firewall
|
2023-11-13 09:33:28 -05:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
To test the firewall, apply rules with `qvm-firewall`.
|
|
|
|
|
|
|
|
|
|
For monitoring, inspect the Unikernel console:
|
2024-07-04 11:10:11 -04:00
|
|
|
|
2023-11-13 09:33:28 -05:00
|
|
|
```sh
|
2024-01-12 11:56:28 -05:00
|
|
|
sudo xl console disp-sys-mirage-firewall
|
2023-11-13 09:33:28 -05:00
|
|
|
```
|
2024-07-04 11:10:11 -04:00
|
|
|
|
2023-11-13 09:33:28 -05:00
|
|
|
Exit the console with `Ctrl-]`.
|
|
|
|
|
|
|
|
|
|
## Credits
|
|
|
|
|
|
2024-07-04 11:10:11 -04:00
|
|
|
* [Unman](https://github.com/unman/shaker/tree/main/mirage)
|
|
|
|
|
* [Thien Tran](https://privsec.dev/posts/qubes/firewalling-with-mirageos-on-qubes-os/)
|
