On Saturday, December 10, 2016 at 6:03:17 AM UTC-7, jkitt wrote:
> What's it like to update - is it relatively simple? Would you say it's more 
> secure than Debian or Fedora?

It's easy. Shut down your Mirage OS Firewall VMs, copy over the new kernel 
files to the relevant directory in /var/lib/qubes/vm-kernels in dom0, and then 
restart the Mirage firewalls.

However, I don't know if it's more secure than using a Debian or Fedora based 
sys-firewall; it *might* help guard against a 0 day cascade though.

That said, because the Mirage firewall doesn't seem to work with a dispVM (at 
least for me, even running the latest code off of github), I still have 
sys-firewall running in the background anyways. So what I do is run my 
mirage-firewall behind sys-firewall (which in turn is behind sys-net). I don't 
know if that's best practice or even has any effect in guarding against a 0-day 
cascade, but things still work normally for the machines where I don't do any 
custom vm iptables filter rules and the ram hit isn't too much (I use 32MB).

Note that if you're trying to compile the latest mirage firewall code from 
github (which isn't reflected on the Release pages yet; there have been some 
minor changes since the last one), it might be a bit tricky since if you follow 
the default github instructions, the compilation will eventually fail as 
mirage-nat tries to pull in older versions of its package dependencies by 

What I had to do was follow the github instructions until it failed, run 'opam
upgrade' to update what mirage-nat pulled in, then manually install the latest 
version of the tcpip package by running 'opam install tcpip' and then finally 
run 'opam install mirage-nat.' After that, following the rest of the github 
instructions should be fine. That'll work with both the 4.02.3 OCAML compiler, 
and the 4.03.0+flambda compiler. Compiling mirage-firewall won't work yet with 
the 4.04 series compilers because the version of mirage-xen in the repository 
only works with up to version 4.03. The code on mirage-xen's github page has 
been updated to work with 4.04 a while back, but a release roll up hasn't been 
pushed out to the repositories yet; not sure when that'll happen.

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to