-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/01/2017 12:38 PM, ludwig jaffe wrote: > Hi I found an interesting approach of having a small unikernel > firewall, that does not eat up too much RAM, especially useful for > a laptop and also as there is a different ip-stack than in Linux > one has an advantage against common errors: would be nice to have > the mirage-os based firewall as an install option, by downloading > a signed template with a tested mirage-os based firewall. > > Is there anyone who has experience with it? I would like to try it > and help developing it further. Who else wants? > > Cheers, > > Ludwig
Hi, I discovered it when talex released last version. I am trying to store rules dynamically in memory (which seems near achieved) and compatible with Qubes firewall management (which seems the hard part). I just rewrite the hard coded firewall rules as a list of rules which can be parsed by the firewall (except blocking traffic between VMs, it stills hard coded). What I don't know yet is how to handle QubesDB updates and parse them. It not seem too much difficult but this is my first contact with OCaml : ) If you want take a look https://github.com/donob4n/qubes-mirage-firewall It's near useless yet (compared to original version) except you find easier to define rules in the list format: { src = None; dst = Some `NetVM; sport = None; dport = None; proto = None ; action = `NAT }; 'None' is equivalent to 'ANY' and if you define some field you must add 'Some' since rule fields are defined as 'Option'. Also you should check cfcs version: https://github.com/cfcs/qubes-mirage-firewall/tree/user_supplied_rules It uses modules.img file for store the rules. More flexible than talex version since you don't need rebuild but I think you need to reboot the vm for apply new rules. It uses BSD PF format: https://github.com/cfcs/qubes-mirage-firewall/blob/user_supplied_rules/R ULES.JSON I will try to get some time and progress on it. At least for learn some OCaml and Qubes internals. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlp9c00ACgkQFBMQ2OPt CKUMBhAAjNw2kVyGO3Ugh2AWC/7hXNzTB4ovw71BmPLXcB11n87ThO6L9mW7Xhaa 03xgJshuDE7+Y7Zk0QU1mcCiDsT/NCFh60zHskoUmWG1UtnKD0WoYF4J/IK7gtmj EfxV0iYFRXk2I0rjnIb9JUFteKXNB6eaLt9APhYJPUxrLyivQc8SlRdWpYs4DdUY 72/Sijgs9g0g7dNMP4+dfjvlD3491MQN18cHaoXXEePq0hLvBMw+DiCkzi/rJw9v pxSqHIvscJOiqd+d20cjEAQvptUTgZsS4ek8j8UubJgISft6P0yLLK5FlMwzLcdK /cNQPb1KhzQdxsHmC6Ar48b2rNPgD3+8XLpNCALszMNL+0OrhalMMxN914fSxAB8 us2NIfjp5e/N4XukuBr5oc24VbPJ0wurblxjL9aCrrJGUTuF9f3+dJfKsz7afJbk Xrb7rpyl3KUM/hJYWFeYFlcigIrxlFMkofrC++4QNwE88iVrcMZTsuDgZc35coX8 P7x9Gy0GMM0upjgWwTAfMCvn8P5xWRliAPFT373NDHMq5kOuqo6KANnaZZPLEnZ1 UAvpdyHdWqtIwRngYCFF5XdmiHCjRw0FqIcyQdiDq1ppIbySgA5fR4Q0VsC8aJip ZMNXYCt8JjtpT938fH6eRI4Y8rV2ZszWwg9g6fYAhMzdfBYqMRg= =S8NZ -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fec6262e-f4b4-ce8e-f69a-fa2cfb87b061%40riseup.net. For more options, visit https://groups.google.com/d/optout.
