-------- Original Message --------
Subject: [qubes-users] Re: Question to Mirage OS firewall users
Local Time: January 19, 2017 12:06 AM
UTC Time: January 19, 2017 12:06 AM
From: r...@reginaldtiangha.com
To: qubes-users@googlegroups.com

On 2017-01-18 7:30 AM, Антон Чехов wrote:
> Hi!
> Is anyone using the mirage firewall in connection with a proxyVM? How do you 
> configure it properly? Does it handle qubes-firewall-users-scripts?

I've run a Mirage-based firewall both in front of and behind a
firewallVM and they chain together fine. Mirage Firewall in its current
iteration does *not* respect modifications to firewall rules via Qubes
and has to be inputted manually (there are some instructions on how to
do that on the software author's blog). It isn't to say that Mirage
Firewall couldn't do it one day, but I believe the author of the code is
leaving it up as an exercise for the reader. Maybe he'll get around to
implementing it, or maybe not, but from a purely technical standpoint,
there's no reason why it couldn't be modified to work with Qubes
firewall user scripts, it's just that it hasn't been implemented yet.

Note that even if you're running the latest code off of GitHub,
currently, Mirage Firewall still doesn't work correctly with DispVMs (or
at least, I haven't been able to get it to work; the DispVM connects to
it, but there's no traffic), even though there were some minimal fixes
applied to try to handle how it handles IP addresses from a different
pool. Works fine with AppVMs, though, as well as TemplateVMs, at least
in my experience.

A workaround for dispVMs is creating the savefile without a firewallVM (i.e. 
set as "none"), then for each fresh dispVM, manually assign it to sys-mirage 
after it has been started.


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to