I'm pleased to announce the release of qubes-mirage-firewall 0.7: https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.7 <https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.7>
This is a unikernel that can run as a QubesOS ProxyVM, replacing sys-firewall. It may be useful if you want something smaller or faster-to-start than the Linux-based sys-firewall. It requires around 64MB of RAM when running and requires "0.0s" of CPU time to boot, according to "xl list". It does not need or use a hard-disk, and does not persist any state between reboots. For installation instructions, see: https://github.com/mirage/qubes-mirage-firewall/blob/master/README.md To upgrade from an earlier release, just overwrite /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz in dom0 with the new version and restart the firewall VM. This version adapts qubes-mirage-firewall with - dynamic rulesets via QubesDB (as defined in Qubes 4.0), and - adds support for DNS hostnames in rules, using the pf-qubes library for parsing. The DNS client is provided by DNS (>= 4.2.0) which uses a cache for name lookups. Not every packet will lead to a DNS lookup if DNS rules are in place. A test unikernel is available in the test subdirectory. This project was done by @linse <https://github.com/linse> and @yomimono <https://github.com/yomimono> in summer 2019, see PR #96 <https://github.com/mirage/qubes-mirage-firewall/pull/96>. Additional changes and bugfixes: - Support Mirage 3.7 and mirage-nat 2.0.0 (@hannesm <https://github.com/hannesm>, #89 <https://github.com/mirage/qubes-mirage-firewall/pull/89>). The main improvement is fragmentation and reassembly support. - Use the smaller OCurrent images as the base for building the Docker images (@talex5 <https://github.com/talex5>, #80 <https://github.com/mirage/qubes-mirage-firewall/pull/80>). - Before: 1 GB (ocaml/opam2:debian-10-ocaml-4.08) - Now: 309 MB (ocurrent/opam:alpine-3.10-ocaml-4.08) - Removed unreachable Lwt.catch (@hannesm <https://github.com/hannesm>, #90 <https://github.com/mirage/qubes-mirage-firewall/pull/90>). Documentation: - Add note that AppVM used to build from source may need a private image larger than the default 2048MB (@marmot1791 <https://github.com/marmot1791>, #83 <https://github.com/mirage/qubes-mirage-firewall/pull/83>). - README: create the symlink-redirected docker dir (@xaki23 <https://github.com/xaki23>, #75 <https://github.com/mirage/qubes-mirage-firewall/pull/75>). Otherwise, installing the docker package removes t he dangling symlink. - Note that mirage-firewall cannot be used as UpdateVM (@talex5 <https://github.com/talex5>, #68 <https://github.com/mirage/qubes-mirage-firewall/pull/68>). - Fix ln(1) call in build instructions (@jaseg <https://github.com/jaseg>, #69 <https://github.com/mirage/qubes-mirage-firewall/pull/69>). The arguments were backwards. Keeping up with upstream changes: - Support mirage-3.7 via qubes-builder (@xaki23 <https://github.com/xaki23> , #91 <https://github.com/mirage/qubes-mirage-firewall/pull/91>). - Remove unused Clock argument to Uplink (@talex5 <https://github.com/talex5>, #90 <https://github.com/mirage/qubes-mirage-firewall/pull/90>). - Rename things for newer mirage-xen versions (@xaki23 <https://github.com/xaki23>, #80 <https://github.com/mirage/qubes-mirage-firewall/pull/80>). - Adjust to ipaddr-4.0.0 renaming _bytes to _octets (@xaki23 <https://github.com/xaki23>, #75 <https://github.com/mirage/qubes-mirage-firewall/pull/75>). - Use OCaml 4.08.0 for qubes-builder builds (was 4.07.1) (@xaki23 <https://github.com/xaki23>, #75 <https://github.com/mirage/qubes-mirage-firewall/pull/75>). - Remove netchannel pin as 1.11.0 is now released (@talex5 <https://github.com/talex5>, #72 <https://github.com/mirage/qubes-mirage-firewall/pull/72>). - Remove cmdliner pin as 1.0.4 is now released (@talex5 <https://github.com/talex5>, #71 <https://github.com/mirage/qubes-mirage-firewall/pull/71>). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0fe88cf5-4013-4fd7-9560-2bc39a5d6a6c%40googlegroups.com.
