qusal/salt/sys-mirage-firewall
Ben Grande 383c840f2f
doc: lint markdown files
Only way to have a unified markdown syntax is to enforce the wanted
syntax by linting the files. Don't rely on the many markdown syntaxes,
be consistent.
2024-07-04 17:27:31 +02:00
..
create.sls fix: update mirage firewall version 2024-05-11 02:54:52 +02:00
create.top refactor: initial commit 2023-11-13 14:33:28 +00:00
init.top refactor: initial commit 2023-11-13 14:33:28 +00:00
README.md doc: lint markdown files 2024-07-04 17:27:31 +02:00
version fix: generate RPM Specs for Qubes Builder V2 2024-06-21 17:00:06 +02:00

sys-mirage-firewall

Mirage Firewall in Qubes OS.

Table of Contents

Description

Creates a Mirage Firewall qube named "disp-sys-mirage-firewall". It is an OCaml program compiled to run as an operating system kernel, in this case, a MirageOS unikernel replacement for the default firewall (sys-firewall). It pulls in just the code it needs as libraries.

Contrary to a standard Linux Firewall, Mirage Firewall doesn't need a full system to run an excessive resources.

You can't use Mirage Firewall to be the updatevm, use another qube instead.

Installation

We have built the Unikernel locally and verified that the upstream checksum and local checksum matched when comparing the same release.

  • Top:
sudo qubesctl top.enable sys-mirage-firewall
sudo qubesctl state.apply
sudo qubesctl top.disable sys-mirage-firewall
  • State:
sudo qubesctl state.apply sys-mirage-firewall.create

Usage

Set qubes netvm to disp-sys-mirage-firewall:

qvm-prefs --set QUBE netvm disp-sys-mirage-firewall

To test the firewall, apply rules with qvm-firewall.

For monitoring, inspect the Unikernel console:

sudo xl console disp-sys-mirage-firewall

Exit the console with Ctrl-].

Credits