On Saturday, December 10, 2016 at 6:03:17 AM UTC-7, jkitt wrote: > What's it like to update - is it relatively simple? Would you say it's more > secure than Debian or Fedora?
It's easy. Shut down your Mirage OS Firewall VMs, copy over the new kernel files to the relevant directory in /var/lib/qubes/vm-kernels in dom0, and then restart the Mirage firewalls. However, I don't know if it's more secure than using a Debian or Fedora based sys-firewall; it *might* help guard against a 0 day cascade though. That said, because the Mirage firewall doesn't seem to work with a dispVM (at least for me, even running the latest code off of github), I still have sys-firewall running in the background anyways. So what I do is run my mirage-firewall behind sys-firewall (which in turn is behind sys-net). I don't know if that's best practice or even has any effect in guarding against a 0-day cascade, but things still work normally for the machines where I don't do any custom vm iptables filter rules and the ram hit isn't too much (I use 32MB). Note that if you're trying to compile the latest mirage firewall code from github (which isn't reflected on the Release pages yet; there have been some minor changes since the last one), it might be a bit tricky since if you follow the default github instructions, the compilation will eventually fail as mirage-nat tries to pull in older versions of its package dependencies by default. What I had to do was follow the github instructions until it failed, run 'opam upgrade' to update what mirage-nat pulled in, then manually install the latest version of the tcpip package by running 'opam install tcpip' and then finally run 'opam install mirage-nat.' After that, following the rest of the github instructions should be fine. That'll work with both the 4.02.3 OCAML compiler, and the 4.03.0+flambda compiler. Compiling mirage-firewall won't work yet with the 4.04 series compilers because the version of mirage-xen in the repository only works with up to version 4.03. The code on mirage-xen's github page has been updated to work with 4.04 a while back, but a release roll up hasn't been pushed out to the repositories yet; not sure when that'll happen. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/811bb4e9-0f2a-46fa-96b8-7e8d1f6d190a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
