422b01e0f6
Decrease audio attack surface to qubes that will never need to use it. |
||
---|---|---|
.. | ||
create.sls | ||
create.top | ||
init.top | ||
README.md |
sys-mirage-firewall
Mirage Firewall in Qubes OS.
Table of Contents
Description
Creates a Mirage Firewall qube named "disp-sys-mirage-firewall". It is an OCaml program compiled to run as an operating system kernel, in this case, a MirageOS unikernel replacement for the default firewall (sys-firewall). It pulls in just the code it needs as libraries.
Contrary to a standard Linux Firewall, Mirage Firewall doesn't need a full system to run an excessive resources.
You can't use Mirage Firewall to be the updatevm, use another qube instead.
Installation
We have built the Unikernel locally and verified that the upstream checksum and local checksum matched when comparing the same release.
- Top
qubesctl top.enable sys-mirage-firewall
qubesctl state.apply
qubesctl top.disable sys-mirage-firewall
- State
qubesctl state.apply sys-mirage-firewall.create
Usage
As a started, set qubes netvm
to disp-sys-mirage-firewall
:
qvm-prefs --set QUBE netvm disp-sys-mirage-firewall
To test the firewall, apply rules with qvm-firewall
.
For monitoring, inspect the Unikernel console:
sudo xl console disp-sys-mirage-firewall
Exit the console with Ctrl-]
.