[ replying to list ] On 21 December 2017 at 11:25, donoban <dono...@riseup.net> wrote: > On 12/21/2017 11:13 AM, Thomas Leonard wrote: >> On Wednesday, December 20, 2017 at 9:05:08 PM UTC, donoban wrote: >>> On 12/19/2017 08:05 PM, Thomas Leonard wrote: >>>> I'd like to announce the release of qubes-mirage-firewall 0.4: >>>> >>>> https://github.com/talex5/qubes-mirage-firewall/releases/tag/v0.4 >>>> >>>> This is a unikernel that can run as a QubesOS ProxyVM, replacing >>>> sys-firewall. It may be useful if you want something smaller or >>>> faster-to-start than the Linux-based sys-firewall, are worried about >>>> possible attacks against Linux's C net-front code, or just like playing >>>> with unikernels. >>>> >>> >>> Hi, >>> >>> I am thinking on testing it but I have no idea about unikernels and OCaml. >>> >>> If I'm not wrong you have to configure the rules for the firewall before >>> building the kernel image? Once you start it you have no way for change >>> rules? >> >> Yes. With Qubes 4, it should be possible to update the rules at runtime from >> QubesDB (see https://github.com/talex5/qubes-mirage-firewall/issues/24), but >> that isn't implemented yet. >> >>> I don't know if I will have success with it and use it but thanks for >>> your effort. >> > > Interesting... > > I had no idea about unikerlels, mirageOS nor OCaml. I was pretty > dissapointed because how to configure it was pretty hard to understand > and some tests report more CPU usage than standard sys-firewall.
That's quite possible. I only have a regular (fibre) home broadband connection, so speed of the firewall isn't an issue for me. The default build doesn't enable many compiler optimisations. If you need more performance, you could try building with an "flambda" build of the OCaml compiler - that enables a load of extra optimisations. To do that, replace the FROM line in the Dockerfile with: FROM ocaml/opam:debian-9_ocaml-4.05.0_flambda Then delete the "_build" directory and rebuild. > However > I took two hours or more reading your blog, I realized how interesting > the idea is and I went to sleep thinking on how to do mirage-firewall > configurable. > > First I thought on a configuration file but since there is no hard disk > I realized the rules should be on memory. I don't know pretty anything > about OCaml but I thought there should be something similar to arrays > for storing them in memory. Mirage has block drivers available, so you could read from a disk if you want. As Holger Levsen mentioned, there is also a proof-of-concept version that reads JSON rules from the modules.img file. However, it would seem more sensible to make use of the new rules format in Qubes 4 in the longer term. (and yes, OCaml does have arrays) > I was thinking on do some kind of function for passing the rules via > qrexec or directly the xen console. I want to have compatibility with > the current Qubes 3.2 GUI, so I was thinking on doing some parser which > runs on dom0, reads firewall.xml files and passes it to mirage-firewall. > > I work mainly on C# and C++. I wrote Perl and some Python years ago. I > did something on Lisp on the career but I suppose that I don't remember > anything. Maybe OCaml it's pretty hard but I'm decided to try it. OCaml's syntax often confuses people at first, but it's fairly simple after that. I'm fairly sure it's easier to learn than C++ or Perl, anyway! > I've tested Qubes 4, it worked for me but I felt pretty soon for use it > daily so I switched to Qubes 3.2. I would prefer do mirage-firewall > configurable for Qubes 3.2 but easy to add on Qubes 4. > > This is what I have on mind: > > - Some kind of struct/object for store firewall rules in memory > - A func which parses this rules object for a packet > - A func for add/delete/flush rules (called from qrexec or xen console > or qubesdb) > > What do you think? Sounds reasonable. -- talex5 (GitHub/Twitter) http://roscidus.com/blog/ GPG: 5DD5 8D70 899C 454A 966D 6A51 7513 3C8F 94F6 E0CC -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAG4opy8_v%2BC3U%3DD%2BBjigH%3Dgu%2BuH9XyA2Z0DRYpp%2B3diS6jQaMg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
