On Saturday, December 10, 2016 at 6:03:17 AM UTC-7, jkitt wrote:
> What's it like to update - is it relatively simple? Would you say it's more
> secure than Debian or Fedora?
It's easy. Shut down your Mirage OS Firewall VMs, copy over the new kernel
files to the relevant directory in /var/lib/qubes/vm-kernels in dom0, and then
restart the Mirage firewalls.
However, I don't know if it's more secure than using a Debian or Fedora based
sys-firewall; it *might* help guard against a 0 day cascade though.
That said, because the Mirage firewall doesn't seem to work with a dispVM (at
least for me, even running the latest code off of github), I still have
sys-firewall running in the background anyways. So what I do is run my
mirage-firewall behind sys-firewall (which in turn is behind sys-net). I don't
know if that's best practice or even has any effect in guarding against a 0-day
cascade, but things still work normally for the machines where I don't do any
custom vm iptables filter rules and the ram hit isn't too much (I use 32MB).
Note that if you're trying to compile the latest mirage firewall code from
github (which isn't reflected on the Release pages yet; there have been some
minor changes since the last one), it might be a bit tricky since if you follow
the default github instructions, the compilation will eventually fail as
mirage-nat tries to pull in older versions of its package dependencies by
default.
What I had to do was follow the github instructions until it failed, run 'opam
upgrade' to update what mirage-nat pulled in, then manually install the latest
version of the tcpip package by running 'opam install tcpip' and then finally
run 'opam install mirage-nat.' After that, following the rest of the github
instructions should be fine. That'll work with both the 4.02.3 OCAML compiler,
and the 4.03.0+flambda compiler. Compiling mirage-firewall won't work yet with
the 4.04 series compilers because the version of mirage-xen in the repository
only works with up to version 4.03. The code on mirage-xen's github page has
been updated to work with 4.04 a while back, but a release roll up hasn't been
pushed out to the repositories yet; not sure when that'll happen.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/811bb4e9-0f2a-46fa-96b8-7e8d1f6d190a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.