Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2024-10-01 02:35:49 -04:00
Code Issues Packages Projects Releases Wiki Activity

feat: disposable mirage firewall

Browse Source
This commit is contained in:
Ben Grande 2024-01-12 17:56:28 +01:00
parent 5502103901
commit 7eb1f34f73
2 changed files with 57 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
salt/sys-mirage-firewall/README.md
View File

@ -11,8 +11,8 @@ Mirage Firewall in Qubes OS.
## Description
Creates a Mirage Firewall qube named "sys-mirage-firewall". It is an OCaml
program compiled to run as an operating system kernel, in this case, a
Creates a Mirage Firewall qube named "disp-sys-mirage-firewall". It is an
OCaml program compiled to run as an operating system kernel, in this case, a
MirageOS unikernel replacement for the default firewall (sys-firewall). It
pulls in just the code it needs as libraries.
@ -42,19 +42,20 @@ qubesctl state.apply sys-mirage-firewall.create
## Usage
As a started, set qubes `netvm` to `sys-mirage-firewall`:
As a started, set qubes `netvm` to `disp-sys-mirage-firewall`:
```sh
qvm-prefs --set QUBE netvm sys-mirage-firewall
qvm-prefs --set QUBE netvm disp-sys-mirage-firewall
```
To test the firewall, apply rules with `qvm-firewall`.
For monitoring, inspect the Unikernel console:
```sh
sudo xl console sys-mirage-firewall
sudo xl console disp-sys-mirage-firewall
```
Exit the console with `Ctrl-]`.
## Credits
- [Unman](https://github.com/unman/shaker/tree/main/mirage)
- [Thien Tran](https://privsec.dev/posts/qubes/firewalling-with-mirageos-on-qubes-os/)

60
salt/sys-mirage-firewall/create.sls
View File

@ -1,8 +1,9 @@
{#
SPDX-FileCopyrightText: 2022 Thien Tran <contact@tommytran.io>
SPDX-FileCopyrightText: 2023 unman <unman@thirdeyesecurity.org>
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
SPDX-License-Identifier: AGPL-3.0-or-later
SPDX-License-Identifier: MIT
#}
{%- from "qvm/template.jinja" import load -%}
@ -46,24 +47,65 @@ the chain (sys-net).
- makedirs: True
{% load_yaml as defaults -%}
name: sys-mirage-firewall
name: tpl-sys-mirage-firewall
force: True
require:
- file: sys-mirage-firewall-save-version
- file: sys-mirage-firewall-save-version
present:
- class: StandaloneVM
- label: orange
- virt_mode: pvh
- class: TemplateVM
- label: black
prefs:
- virt_mode: pvh
- label: black
- memory: 64
- maxmem: 64
- vcpus: 1
- kernel: mirage-firewall
- kernelopts: ""
{%- endload %}
{{ load(defaults) }}
{% load_yaml as defaults -%}
name: dvm-sys-mirage-firewall
force: True
require:
- qvm: tpl-sys-mirage-firewall
present:
- template: tpl-sys-mirage-firewall
- label: orange
prefs:
- template: tpl-sys-mirage-firewall
- label: orange
- netvm: {{ netvm }}
- memory: 64
- maxmem: 64
- vcpus: 1
- provides-network: True
- template_for_dispvms: True
features:
- enable:
- service.qubes-firewall
- no-default-kernelopts
{%- endload %}
{{ load(defaults) }}
{% load_yaml as defaults -%}
name: disp-sys-mirage-firewall
force: True
require:
- qvm: tpl-sys-mirage-firewall
present:
- class: DispVM
- template: dvm-sys-mirage-firewall
- label: orange
prefs:
- template: dvm-sys-mirage-firewall
- label: orange
- netvm: {{ netvm }}
- memory: 64
- maxmem: 64
- vcpus: 1
- provides-network: True
- default_dispvm: ""
- kernel: mirage-firewall
- kernelopts: ''
features:
- enable:
- service.qubes-firewall