Re: [qubes-users] Re: Question to Mirage OS firewall users

2017-11-11 Thread Thomas Leonard
On Thursday, November 9, 2017 at 4:18:13 AM UTC, Jean-Philippe Ouellet wrote:
> On Wed, Nov 8, 2017 at 3:09 PM, Thomas Leonard wrote:
> > On Thursday, April 13, 2017 at 1:33:53 PM UTC+1, Thomas Leonard wrote:
> >> On Thursday, April 13, 2017 at 11:08:11 AM UTC+1, Foppe de Haan wrote:
> >> > On Thursday, April 13, 2017 at 10:00:20 AM UTC+2, Thomas Leonard wrote:
> >> > > On Wednesday, April 12, 2017 at 10:32:11 PM UTC+1, Foppe de Haan wrote:
> >> > > > Any clue why Windows 7 won't boot when I have MirageOS selected as 
> >> > > > the firewall?
> >> > >
> >> > > I've never tried it. Do the mirage-firewall logs show anything 
> >> > > interesting when you try to boot Windows?
> >> >
> >> > No, but I do have this log (guest-windows-dm). First log doesn't boot 
> >> > (MirageOS), 2nd does (sys-firewall). Is that of any use?
> >>
> >> Oh, that's more useful than I was expecting! Looks like the Windows boot 
> >> process starts by running MiniOS! It's hanging at
> >>
> >> close network: backend at /local/domain/4/backend/vif/79/0
> >>
> >> I guess it asked the firewall to close the network, and never got a reply 
> >> (because the firewall doesn't have any code to do that).
> >
> > OK, I finally got some time to look into this. I think this patch should 
> > fix it (works for Linux HVM anyway):
> >
> > https://github.com/mirage/mirage-net-xen/pull/67
> >
> > I also made a patch that seems to let the firewall work with disposable VMs:
> >
> > https://github.com/mirage/mirage-net-xen/pull/68
> 
> Sweet :)
> 
> > Both are based on guesswork though - is the Xen netback protocol documented 
> > somewhere?
> 
> In xen src:
> http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/include/public/io/netif.h;hb=refs/heads/master
> 
> netfront / netback in linux:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/xen-netfront.c
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/xen-netback
> 
> And a somewhat outdated but much more approachable introduction in
> section 9.2 (starting p.169) of "The Definitive Guide to the Xen
> Hypervisor" book in case you have access to it.

Thanks. Is there anything about the setup protocol, though? This file seems 
less well commented:

http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/include/public/io/xenbus.h;h=927f9db5528798fca00455fdd687662d68b18b2e;hb=refs/heads/master

BTW, I've updated the Dockerfile to build with the patches applied now, if 
anyone wants to test it:

https://github.com/talex5/qubes-mirage-firewall/

I've had one report from a Qubes 4.0rc1 user that it now works for them (for 
HVM Linux).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e4a1ff93-2c9f-470b-b2da-0cc69f79ba3d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Question to Mirage OS firewall users

2017-11-08 Thread Jean-Philippe Ouellet
On Wed, Nov 8, 2017 at 3:09 PM,   wrote:
> On Thursday, April 13, 2017 at 1:33:53 PM UTC+1, Thomas Leonard wrote:
>> On Thursday, April 13, 2017 at 11:08:11 AM UTC+1, Foppe de Haan wrote:
>> > On Thursday, April 13, 2017 at 10:00:20 AM UTC+2, Thomas Leonard wrote:
>> > > On Wednesday, April 12, 2017 at 10:32:11 PM UTC+1, Foppe de Haan wrote:
>> > > > Any clue why Windows 7 won't boot when I have MirageOS selected as the 
>> > > > firewall?
>> > >
>> > > I've never tried it. Do the mirage-firewall logs show anything 
>> > > interesting when you try to boot Windows?
>> >
>> > No, but I do have this log (guest-windows-dm). First log doesn't boot 
>> > (MirageOS), 2nd does (sys-firewall). Is that of any use?
>>
>> Oh, that's more useful than I was expecting! Looks like the Windows boot 
>> process starts by running MiniOS! It's hanging at
>>
>> close network: backend at /local/domain/4/backend/vif/79/0
>>
>> I guess it asked the firewall to close the network, and never got a reply 
>> (because the firewall doesn't have any code to do that).
>
> OK, I finally got some time to look into this. I think this patch should fix 
> it (works for Linux HVM anyway):
>
> https://github.com/mirage/mirage-net-xen/pull/67
>
> I also made a patch that seems to let the firewall work with disposable VMs:
>
> https://github.com/mirage/mirage-net-xen/pull/68

Sweet :)

> Both are based on guesswork though - is the Xen netback protocol documented 
> somewhere?

In xen src:
http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/include/public/io/netif.h;hb=refs/heads/master

netfront / netback in linux:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/xen-netfront.c
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/xen-netback

And a somewhat outdated but much more approachable introduction in
section 9.2 (starting p.169) of "The Definitive Guide to the Xen
Hypervisor" book in case you have access to it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_D1wwcdtbj-MdGCahV1E6fzCJYMqmbqyR3AJKoqXcxBYQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-11-08 Thread talex5hangout
On Thursday, April 13, 2017 at 1:33:53 PM UTC+1, Thomas Leonard wrote:
> On Thursday, April 13, 2017 at 11:08:11 AM UTC+1, Foppe de Haan wrote:
> > On Thursday, April 13, 2017 at 10:00:20 AM UTC+2, Thomas Leonard wrote:
> > > On Wednesday, April 12, 2017 at 10:32:11 PM UTC+1, Foppe de Haan wrote:
> > > > Any clue why Windows 7 won't boot when I have MirageOS selected as the 
> > > > firewall?
> > > 
> > > I've never tried it. Do the mirage-firewall logs show anything 
> > > interesting when you try to boot Windows?
> > 
> > No, but I do have this log (guest-windows-dm). First log doesn't boot 
> > (MirageOS), 2nd does (sys-firewall). Is that of any use?
> 
> Oh, that's more useful than I was expecting! Looks like the Windows boot 
> process starts by running MiniOS! It's hanging at
> 
> close network: backend at /local/domain/4/backend/vif/79/0
> 
> I guess it asked the firewall to close the network, and never got a reply 
> (because the firewall doesn't have any code to do that).

OK, I finally got some time to look into this. I think this patch should fix it 
(works for Linux HVM anyway):

https://github.com/mirage/mirage-net-xen/pull/67

I also made a patch that seems to let the firewall work with disposable VMs:

https://github.com/mirage/mirage-net-xen/pull/68

Both are based on guesswork though - is the Xen netback protocol documented 
somewhere?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/953016bb-3f21-4c57-a401-32ada189da32%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-04-13 Thread Thomas Leonard
On Wednesday, April 12, 2017 at 10:32:11 PM UTC+1, Foppe de Haan wrote:
> Any clue why Windows 7 won't boot when I have MirageOS selected as the 
> firewall?

I've never tried it. Do the mirage-firewall logs show anything interesting when 
you try to boot Windows?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e36e3c71-1c55-41e6-98d4-ad4731809857%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-04-12 Thread Foppe de Haan
Any clue why Windows 7 won't boot when I have MirageOS selected as the firewall?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/12d7beb6-a849-4baa-9962-c44bbdfdd3e8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-03-27 Thread Thomas Leonard
On Sunday, March 19, 2017 at 10:11:04 AM UTC, Foppe de Haan wrote:
> Stable so far. (Current uptime 12h, it crashed well before that when it 
> wasn't.)

Thanks for testing!

I've made a new release of that version now (identical binary):

https://github.com/talex5/qubes-mirage-firewall/releases/tag/v0.3

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8431f68e-7f19-4e5b-9fca-79bf1205d394%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-03-19 Thread Foppe de Haan
Stable so far. (Current uptime 12h, it crashed well before that when it wasn't.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4fae0a9c-0d29-4b72-b82b-1f47cc4d64af%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-03-18 Thread Thomas Leonard
On Friday, February 24, 2017 at 1:16:55 PM UTC, Foppe de Haan wrote:
> On Tuesday, February 7, 2017 at 6:22:53 PM UTC+1, Thomas Leonard wrote:
> > On Tuesday, February 7, 2017 at 4:51:06 PM UTC, Foppe de Haan wrote:
> > > On Tuesday, February 7, 2017 at 5:24:58 PM UTC+1, Thomas Leonard wrote:
> > > > On Tuesday, February 7, 2017 at 3:55:30 PM UTC, Foppe de Haan wrote:
> > > > > Anyone else tried to use MirageOS i.c.w. a torrent client? I've 
> > > > > allocated 60mb ram, but it crashes within 2-8 hours here, which is 
> > > > > kind of disappointing.
> > > > 
> > > > Do the logs show an out-of-memory error when that happens? I haven't 
> > > > seen one for a long time now, but maybe torrents stress it more than 
> > > > usual.
> > > > 
> > > > If so, it could be https://github.com/yomimono/mirage-nat/issues/17 - 
> > > > there's a Mirage hackathon next month and I'm hoping to get some time 
> > > > to work on this there.
> > > 
> > > Yes. "Fatal error: out or memory. Mirage exiting with status 2"
> > 
> > By the way, what version of the firewall are you using?
> > If it's not qubes-mirage-firewall v0.2 then try upgrading first - there 
> > were lots of OOM problems in v0.1.
> > 
> > > That said, 2 minutes earlier the log notes that memory use was still only 
> > > at 16.7/38.2 MB.
> > 
> > The annoying thing about hashtables is the way they suddenly double in 
> > size. Since you're allocating 60 MB to the firewall (I only use 20 MB for 
> > mine), you could try adjusting the thresholds at these two lines:
> > 
> > https://github.com/talex5/qubes-mirage-firewall/blob/master/memory_pressure.ml#L41
> > https://github.com/talex5/qubes-mirage-firewall/blob/master/memory_pressure.ml#L47
> > 
> > Change the 0.9 (allow 90% of memory to be used) to 0.4 in both places. If 
> > the NAT table is the cause, that should make the problem go away.
> > 
> > > (Most of the log -- 90-95% -- consists of 'Failed to parse frame' 
> > > messages, btw.)
> > 
> > "Failed to parse frame" probably means it saw an ICMP (not TCP or UDP) 
> > packet and therefore didn't handle it. Another thing I'm hoping to fix 
> > soon... https://github.com/yomimono/mirage-nat/issues/15
> 
> It looks stable now (uptime 3-4 days since last reboot, whereas before it 
> only lasted ~8h max).

Thanks for the report! I've now made some updates to the firewall:

- It now uses an LRU-cache to drop old entries, rather than growing until it 
runs out of memory.

- ICMP queries (e.g. ping) and errors (e.g. Host unreachable) now work (they 
were dropped before).

- I've ported it to the new Mirage 3 release.

There are quite a lot of changes, so I'd be happy to get reports about whether 
it works or not (I've just started running the new version on my laptop).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/61f88c78-9442-435a-bed6-5f63e033bb6d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-02-24 Thread Foppe de Haan
On Tuesday, February 7, 2017 at 6:22:53 PM UTC+1, Thomas Leonard wrote:
> On Tuesday, February 7, 2017 at 4:51:06 PM UTC, Foppe de Haan wrote:
> > On Tuesday, February 7, 2017 at 5:24:58 PM UTC+1, Thomas Leonard wrote:
> > > On Tuesday, February 7, 2017 at 3:55:30 PM UTC, Foppe de Haan wrote:
> > > > Anyone else tried to use MirageOS i.c.w. a torrent client? I've 
> > > > allocated 60mb ram, but it crashes within 2-8 hours here, which is kind 
> > > > of disappointing.
> > > 
> > > Do the logs show an out-of-memory error when that happens? I haven't seen 
> > > one for a long time now, but maybe torrents stress it more than usual.
> > > 
> > > If so, it could be https://github.com/yomimono/mirage-nat/issues/17 - 
> > > there's a Mirage hackathon next month and I'm hoping to get some time to 
> > > work on this there.
> > 
> > Yes. "Fatal error: out or memory. Mirage exiting with status 2"
> 
> By the way, what version of the firewall are you using?
> If it's not qubes-mirage-firewall v0.2 then try upgrading first - there were 
> lots of OOM problems in v0.1.
> 
> > That said, 2 minutes earlier the log notes that memory use was still only 
> > at 16.7/38.2 MB.
> 
> The annoying thing about hashtables is the way they suddenly double in size. 
> Since you're allocating 60 MB to the firewall (I only use 20 MB for mine), 
> you could try adjusting the thresholds at these two lines:
> 
> https://github.com/talex5/qubes-mirage-firewall/blob/master/memory_pressure.ml#L41
> https://github.com/talex5/qubes-mirage-firewall/blob/master/memory_pressure.ml#L47
> 
> Change the 0.9 (allow 90% of memory to be used) to 0.4 in both places. If the 
> NAT table is the cause, that should make the problem go away.
> 
> > (Most of the log -- 90-95% -- consists of 'Failed to parse frame' messages, 
> > btw.)
> 
> "Failed to parse frame" probably means it saw an ICMP (not TCP or UDP) packet 
> and therefore didn't handle it. Another thing I'm hoping to fix soon... 
> https://github.com/yomimono/mirage-nat/issues/15

It looks stable now (uptime 3-4 days since last reboot, whereas before it only 
lasted ~8h max).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/947eea3e-08bb-401b-9823-69b1ef06e107%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Question to Mirage OS firewall users

2017-02-19 Thread Thomas Leonard
On Wednesday, February 8, 2017 at 4:59:16 PM UTC, Jean-Philippe Ouellet wrote:
> On Sat, Jan 28, 2017 at 9:13 AM, Thomas Leonard wrote:
> > I'm not sure why my DispVM is Fedora 23 when my default template is Fedora 
> > 24, but anyway...
> 
> If fedora24 is indeed your default template, try:
> [user@dom0 ~]$ qvm-create-default-dvm --default-template

That fixed it - thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/028ab6db-c5e7-4d72-9224-64c2a08d3500%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-02-09 Thread Thomas Leonard
On Tuesday, February 7, 2017 at 5:31:25 PM UTC, Foppe de Haan wrote:
> On Tuesday, February 7, 2017 at 6:22:53 PM UTC+1, Thomas Leonard wrote:
> > On Tuesday, February 7, 2017 at 4:51:06 PM UTC, Foppe de Haan wrote:
> > > On Tuesday, February 7, 2017 at 5:24:58 PM UTC+1, Thomas Leonard wrote:
> > > > On Tuesday, February 7, 2017 at 3:55:30 PM UTC, Foppe de Haan wrote:
> > > > > Anyone else tried to use MirageOS i.c.w. a torrent client? I've 
> > > > > allocated 60mb ram, but it crashes within 2-8 hours here, which is 
> > > > > kind of disappointing.
> > > > 
> > > > Do the logs show an out-of-memory error when that happens? I haven't 
> > > > seen one for a long time now, but maybe torrents stress it more than 
> > > > usual.
> > > > 
> > > > If so, it could be https://github.com/yomimono/mirage-nat/issues/17 - 
> > > > there's a Mirage hackathon next month and I'm hoping to get some time 
> > > > to work on this there.
> > > 
> > > Yes. "Fatal error: out or memory. Mirage exiting with status 2"
> > 
> > By the way, what version of the firewall are you using?
> > If it's not qubes-mirage-firewall v0.2 then try upgrading first - there 
> > were lots of OOM problems in v0.1.
> > 
> > > That said, 2 minutes earlier the log notes that memory use was still only 
> > > at 16.7/38.2 MB.
> > 
> > The annoying thing about hashtables is the way they suddenly double in 
> > size. Since you're allocating 60 MB to the firewall (I only use 20 MB for 
> > mine), you could try adjusting the thresholds at these two lines:
> > 
> > https://github.com/talex5/qubes-mirage-firewall/blob/master/memory_pressure.ml#L41
> > https://github.com/talex5/qubes-mirage-firewall/blob/master/memory_pressure.ml#L47
> > 
> > Change the 0.9 (allow 90% of memory to be used) to 0.4 in both places. If 
> > the NAT table is the cause, that should make the problem go away.
> > 
> > > (Most of the log -- 90-95% -- consists of 'Failed to parse frame' 
> > > messages, btw.)
> > 
> > "Failed to parse frame" probably means it saw an ICMP (not TCP or UDP) 
> > packet and therefore didn't handle it. Another thing I'm hoping to fix 
> > soon... https://github.com/yomimono/mirage-nat/issues/15
> 
> I built it using docker about 2 days ago. Will do the other things you 
> mentioned, report back when I know more :)

Thanks! If that is the cause of the memory problem, it should be easy to fix 
anyway.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/74503e3d-1fe3-4649-8a8d-fe2051adee64%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Question to Mirage OS firewall users

2017-02-08 Thread Jean-Philippe Ouellet
On Sat, Jan 28, 2017 at 9:13 AM, Thomas Leonard  wrote:
> I'm not sure why my DispVM is Fedora 23 when my default template is Fedora 
> 24, but anyway...

If fedora24 is indeed your default template, try:
[user@dom0 ~]$ qvm-create-default-dvm --default-template

If that does not work it may be a bug worth reporting. As a workaround, try:
[user@dom0 ~]$ qvm-create-default-dvm 

See https://www.qubes-os.org/doc/dispvm-customization

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_CkYf2ROXbYza%2BMb8eRTCAGvtafw2xTyXKyXeCMfFsfLg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-02-07 Thread Foppe de Haan
On Tuesday, February 7, 2017 at 6:22:53 PM UTC+1, Thomas Leonard wrote:
> On Tuesday, February 7, 2017 at 4:51:06 PM UTC, Foppe de Haan wrote:
> > On Tuesday, February 7, 2017 at 5:24:58 PM UTC+1, Thomas Leonard wrote:
> > > On Tuesday, February 7, 2017 at 3:55:30 PM UTC, Foppe de Haan wrote:
> > > > Anyone else tried to use MirageOS i.c.w. a torrent client? I've 
> > > > allocated 60mb ram, but it crashes within 2-8 hours here, which is kind 
> > > > of disappointing.
> > > 
> > > Do the logs show an out-of-memory error when that happens? I haven't seen 
> > > one for a long time now, but maybe torrents stress it more than usual.
> > > 
> > > If so, it could be https://github.com/yomimono/mirage-nat/issues/17 - 
> > > there's a Mirage hackathon next month and I'm hoping to get some time to 
> > > work on this there.
> > 
> > Yes. "Fatal error: out or memory. Mirage exiting with status 2"
> 
> By the way, what version of the firewall are you using?
> If it's not qubes-mirage-firewall v0.2 then try upgrading first - there were 
> lots of OOM problems in v0.1.
> 
> > That said, 2 minutes earlier the log notes that memory use was still only 
> > at 16.7/38.2 MB.
> 
> The annoying thing about hashtables is the way they suddenly double in size. 
> Since you're allocating 60 MB to the firewall (I only use 20 MB for mine), 
> you could try adjusting the thresholds at these two lines:
> 
> https://github.com/talex5/qubes-mirage-firewall/blob/master/memory_pressure.ml#L41
> https://github.com/talex5/qubes-mirage-firewall/blob/master/memory_pressure.ml#L47
> 
> Change the 0.9 (allow 90% of memory to be used) to 0.4 in both places. If the 
> NAT table is the cause, that should make the problem go away.
> 
> > (Most of the log -- 90-95% -- consists of 'Failed to parse frame' messages, 
> > btw.)
> 
> "Failed to parse frame" probably means it saw an ICMP (not TCP or UDP) packet 
> and therefore didn't handle it. Another thing I'm hoping to fix soon... 
> https://github.com/yomimono/mirage-nat/issues/15

I built it using docker about 2 days ago. Will do the other things you 
mentioned, report back when I know more :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dd070260-c820-41ed-a082-f2b364122c46%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-02-07 Thread Thomas Leonard
On Tuesday, February 7, 2017 at 4:51:06 PM UTC, Foppe de Haan wrote:
> On Tuesday, February 7, 2017 at 5:24:58 PM UTC+1, Thomas Leonard wrote:
> > On Tuesday, February 7, 2017 at 3:55:30 PM UTC, Foppe de Haan wrote:
> > > Anyone else tried to use MirageOS i.c.w. a torrent client? I've allocated 
> > > 60mb ram, but it crashes within 2-8 hours here, which is kind of 
> > > disappointing.
> > 
> > Do the logs show an out-of-memory error when that happens? I haven't seen 
> > one for a long time now, but maybe torrents stress it more than usual.
> > 
> > If so, it could be https://github.com/yomimono/mirage-nat/issues/17 - 
> > there's a Mirage hackathon next month and I'm hoping to get some time to 
> > work on this there.
> 
> Yes. "Fatal error: out or memory. Mirage exiting with status 2"

By the way, what version of the firewall are you using?
If it's not qubes-mirage-firewall v0.2 then try upgrading first - there were 
lots of OOM problems in v0.1.

> That said, 2 minutes earlier the log notes that memory use was still only at 
> 16.7/38.2 MB.

The annoying thing about hashtables is the way they suddenly double in size. 
Since you're allocating 60 MB to the firewall (I only use 20 MB for mine), you 
could try adjusting the thresholds at these two lines:

https://github.com/talex5/qubes-mirage-firewall/blob/master/memory_pressure.ml#L41
https://github.com/talex5/qubes-mirage-firewall/blob/master/memory_pressure.ml#L47

Change the 0.9 (allow 90% of memory to be used) to 0.4 in both places. If the 
NAT table is the cause, that should make the problem go away.

> (Most of the log -- 90-95% -- consists of 'Failed to parse frame' messages, 
> btw.)

"Failed to parse frame" probably means it saw an ICMP (not TCP or UDP) packet 
and therefore didn't handle it. Another thing I'm hoping to fix soon... 
https://github.com/yomimono/mirage-nat/issues/15

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2d9792a2-f1b4-41c8-9ded-7da8e5891122%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-02-07 Thread Foppe de Haan
On Tuesday, February 7, 2017 at 5:24:58 PM UTC+1, Thomas Leonard wrote:
> On Tuesday, February 7, 2017 at 3:55:30 PM UTC, Foppe de Haan wrote:
> > Anyone else tried to use MirageOS i.c.w. a torrent client? I've allocated 
> > 60mb ram, but it crashes within 2-8 hours here, which is kind of 
> > disappointing.
> 
> Do the logs show an out-of-memory error when that happens? I haven't seen one 
> for a long time now, but maybe torrents stress it more than usual.
> 
> If so, it could be https://github.com/yomimono/mirage-nat/issues/17 - there's 
> a Mirage hackathon next month and I'm hoping to get some time to work on this 
> there.

Yes. "Fatal error: out or memory. Mirage exiting with status 2"
That said, 2 minutes earlier the log notes that memory use was still only at 
16.7/38.2 MB. (Most of the log -- 90-95% -- consists of 'Failed to parse frame' 
messages, btw.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1da50871-83ea-4c94-bea9-3943455a30af%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-02-07 Thread Thomas Leonard
On Tuesday, February 7, 2017 at 3:55:30 PM UTC, Foppe de Haan wrote:
> Anyone else tried to use MirageOS i.c.w. a torrent client? I've allocated 
> 60mb ram, but it crashes within 2-8 hours here, which is kind of 
> disappointing.

Do the logs show an out-of-memory error when that happens? I haven't seen one 
for a long time now, but maybe torrents stress it more than usual.

If so, it could be https://github.com/yomimono/mirage-nat/issues/17 - there's a 
Mirage hackathon next month and I'm hoping to get some time to work on this 
there.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6f6a43d9-e479-4ea6-bd23-233f13d9b4b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-02-07 Thread Foppe de Haan
Anyone else tried to use MirageOS i.c.w. a torrent client? I've allocated 60mb 
ram, but it crashes within 2-8 hours here, which is kind of disappointing.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1eedc93d-54ac-4897-a99f-6f2ab7519717%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-01-28 Thread Thomas Leonard
On Saturday, December 10, 2016 at 5:36:29 PM UTC, Reg Tiangha wrote:
> On Saturday, December 10, 2016 at 6:03:17 AM UTC-7, jkitt wrote:
> > What's it like to update - is it relatively simple? Would you say it's more 
> > secure than Debian or Fedora?
> 
> It's easy. Shut down your Mirage OS Firewall VMs, copy over the new kernel 
> files to the relevant directory in /var/lib/qubes/vm-kernels in dom0, and 
> then restart the Mirage firewalls.
> 
[...]
> Note that if you're trying to compile the latest mirage firewall code from 
> github (which isn't reflected on the Release pages yet; there have been some 
> minor changes since the last one), it might be a bit tricky since if you 
> follow the default github instructions, the compilation will eventually fail 
> as mirage-nat tries to pull in older versions of its package dependencies by 
> default.

It seems to work for me. To make things more predictable, I've added a script 
to build it with Docker:

sudo yum install docker
sudo systemctl start docker
git clone https://github.com/talex5/qubes-mirage-firewall.git
cd qubes-mirage-firewall
sudo ./build-with-docker.sh

The Dockerfile uses a fixed version of opam-repository, so it shouldn't break 
even if something gets updated. It also prints out the sha256sum of the binary 
it built and the expected hash (hard-coded in the file), e.g.

$ sudo ./build-with-docker.sh
[...]
SHA2 of build:   
f0c1a06fc4b02b494c81972dc89419af6cffa73b75839c0e8ee3798d77bf69b3  
mir-qubes-firewall.xen
SHA2 last known: 
f0c1a06fc4b02b494c81972dc89419af6cffa73b75839c0e8ee3798d77bf69b3

I'd be interested to know if other people get the same hash (of course, the 
hash will change if you e.g. modify the rules.ml file to change the policy).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1c6a4c3d-b03d-4528-8996-eed684ac8eb1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-01-28 Thread Thomas Leonard
On Thursday, January 19, 2017 at 12:07:17 AM UTC, Reg Tiangha wrote:
> On 2017-01-18 7:30 AM, Антон Чехов wrote:
> > Hi!
> > 
> > Is anyone using the mirage firewall in connection with a proxyVM? How do 
> > you configure it properly? Does it handle qubes-firewall-users-scripts?
> > 
> 
> I've run a Mirage-based firewall both in front of and behind a
> firewallVM and they chain together fine. Mirage Firewall in its current
> iteration does *not* respect modifications to firewall rules via Qubes
> and has to be inputted manually (there are some instructions on how to
> do that on the software author's blog). It isn't to say that Mirage
> Firewall couldn't do it one day, but I believe the author of the code is
> leaving it up as an exercise for the reader. Maybe he'll get around to
> implementing it, or maybe not, but from a purely technical standpoint,
> there's no reason why it couldn't be modified to work with Qubes
> firewall user scripts, it's just that it hasn't been implemented yet.
> 
> Note that even if you're running the latest code off of GitHub,
> currently, Mirage Firewall still doesn't work correctly with DispVMs (or
> at least, I haven't been able to get it to work; the DispVM connects to
> it, but there's no traffic), even though there were some minimal fixes
> applied to try to handle how it handles IP addresses from a different
> pool. Works fine with AppVMs, though, as well as TemplateVMs, at least
> in my experience.

It works for me if I take the interface down and bring it up again in the 
dispVM, e.g.

[user@fedora-23-dvm ~]$ sudo ifconfig eth0 down && sudo ifconfig eth0 up
[user@fedora-23-dvm ~]$ sudo route add $(qubesdb-read /qubes-gateway) dev eth0
[user@fedora-23-dvm ~]$ sudo route add default gw $(qubesdb-read /qubes-gateway)
[user@fedora-23-dvm ~]$ curl http://www.google.com

302 Moved
302 Moved
The document has moved
http://www.google.co.uk/?gfe_rd=crei=vKSMWOn7F6vP8Aeg4KeoAQ;>here.


The odd thing is that, as far as I can see, reinitialising the interface is 
something that only affects Linux (no interaction with the firewall).

(and I'm not sure why my DispVM is Fedora 23 when my default template is Fedora 
24, but anyway...)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b4e74710-c3c2-4e36-a304-577974e736d6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2017-01-19 Thread Антон Чехов
On Thursday, January 19, 2017 at 1:07:17 AM UTC+1, Reg Tiangha wrote:
> On 2017-01-18 7:30 AM, Антон Чехов wrote:
> > Hi!
> > 
> > Is anyone using the mirage firewall in connection with a proxyVM? How do 
> > you configure it properly? Does it handle qubes-firewall-users-scripts?
> > 
> 
> I've run a Mirage-based firewall both in front of and behind a
> firewallVM and they chain together fine. Mirage Firewall in its current
> iteration does *not* respect modifications to firewall rules via Qubes
> and has to be inputted manually (there are some instructions on how to
> do that on the software author's blog). It isn't to say that Mirage
> Firewall couldn't do it one day, but I believe the author of the code is
> leaving it up as an exercise for the reader. Maybe he'll get around to
> implementing it, or maybe not, but from a purely technical standpoint,
> there's no reason why it couldn't be modified to work with Qubes
> firewall user scripts, it's just that it hasn't been implemented yet.
> 
> Note that even if you're running the latest code off of GitHub,
> currently, Mirage Firewall still doesn't work correctly with DispVMs (or
> at least, I haven't been able to get it to work; the DispVM connects to
> it, but there's no traffic), even though there were some minimal fixes
> applied to try to handle how it handles IP addresses from a different
> pool. Works fine with AppVMs, though, as well as TemplateVMs, at least
> in my experience.

@Reg & Willy
Thank you for sharing your experiences and the advice. I will try to wrap my 
head around this topic.
I have been trying the firewall with an AppVM already and it looked like it was 
working fine but I have to dig deeper into the process (for my understanding). 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/00f397a6-f227-4051-8c93-02a566c91887%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Question to Mirage OS firewall users

2017-01-19 Thread WillyPillow
 Original Message 
Subject: [qubes-users] Re: Question to Mirage OS firewall users
Local Time: January 19, 2017 12:06 AM
UTC Time: January 19, 2017 12:06 AM
From: r...@reginaldtiangha.com
To: qubes-users@googlegroups.com

On 2017-01-18 7:30 AM, Антон Чехов wrote:
> Hi!
>
> Is anyone using the mirage firewall in connection with a proxyVM? How do you 
> configure it properly? Does it handle qubes-firewall-users-scripts?
>

I've run a Mirage-based firewall both in front of and behind a
firewallVM and they chain together fine. Mirage Firewall in its current
iteration does *not* respect modifications to firewall rules via Qubes
and has to be inputted manually (there are some instructions on how to
do that on the software author's blog). It isn't to say that Mirage
Firewall couldn't do it one day, but I believe the author of the code is
leaving it up as an exercise for the reader. Maybe he'll get around to
implementing it, or maybe not, but from a purely technical standpoint,
there's no reason why it couldn't be modified to work with Qubes
firewall user scripts, it's just that it hasn't been implemented yet.

Note that even if you're running the latest code off of GitHub,
currently, Mirage Firewall still doesn't work correctly with DispVMs (or
at least, I haven't been able to get it to work; the DispVM connects to
it, but there's no traffic), even though there were some minimal fixes
applied to try to handle how it handles IP addresses from a different
pool. Works fine with AppVMs, though, as well as TemplateVMs, at least
in my experience.


A workaround for dispVMs is creating the savefile without a firewallVM (i.e. 
set as "none"), then for each fresh dispVM, manually assign it to sys-mirage 
after it has been started.

--WillyPillow

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ot6Ty_X0rMsx8y3qav_PGnwBpU9Tm32TkWWKoTZnhB4IkTKgp1Yg1OgTG5_hXwyp6VVpX1VENyICnabB0jgTByaWlB56n2Yl5JY_7R9tPo4%3D%40nerde.pw.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Question to Mirage OS firewall users

2016-12-10 Thread Chris Laprise

On 12/10/2016 12:36 PM, rtian...@gmail.com wrote:

On Saturday, December 10, 2016 at 6:03:17 AM UTC-7, jkitt wrote:

What's it like to update - is it relatively simple? Would you say it's more 
secure than Debian or Fedora?

It's easy. Shut down your Mirage OS Firewall VMs, copy over the new kernel 
files to the relevant directory in /var/lib/qubes/vm-kernels in dom0, and then 
restart the Mirage firewalls.

However, I don't know if it's more secure than using a Debian or Fedora based 
sys-firewall; it *might* help guard against a 0 day cascade though.


My feeling is this is a good step in exploring minimal resource use and 
attack surface. But in this particular role--firewalls--the risk is 
fairly low. Qubes configures sys-firewall as 'green' I think for this 
reason.


Where this kind of minimization may be more valuable is in running 
high-risk VMs like sys-net and sys-usb, but that is understandably more 
complex.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7f0309d3-207b-6b0a-40ce-a02124572066%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Question to Mirage OS firewall users

2016-12-10 Thread rtiangha
On Saturday, December 10, 2016 at 6:03:17 AM UTC-7, jkitt wrote:
> What's it like to update - is it relatively simple? Would you say it's more 
> secure than Debian or Fedora?

It's easy. Shut down your Mirage OS Firewall VMs, copy over the new kernel 
files to the relevant directory in /var/lib/qubes/vm-kernels in dom0, and then 
restart the Mirage firewalls.

However, I don't know if it's more secure than using a Debian or Fedora based 
sys-firewall; it *might* help guard against a 0 day cascade though.

That said, because the Mirage firewall doesn't seem to work with a dispVM (at 
least for me, even running the latest code off of github), I still have 
sys-firewall running in the background anyways. So what I do is run my 
mirage-firewall behind sys-firewall (which in turn is behind sys-net). I don't 
know if that's best practice or even has any effect in guarding against a 0-day 
cascade, but things still work normally for the machines where I don't do any 
custom vm iptables filter rules and the ram hit isn't too much (I use 32MB).

Note that if you're trying to compile the latest mirage firewall code from 
github (which isn't reflected on the Release pages yet; there have been some 
minor changes since the last one), it might be a bit tricky since if you follow 
the default github instructions, the compilation will eventually fail as 
mirage-nat tries to pull in older versions of its package dependencies by 
default.

What I had to do was follow the github instructions until it failed, run 'opam
upgrade' to update what mirage-nat pulled in, then manually install the latest 
version of the tcpip package by running 'opam install tcpip' and then finally 
run 'opam install mirage-nat.' After that, following the rest of the github 
instructions should be fine. That'll work with both the 4.02.3 OCAML compiler, 
and the 4.03.0+flambda compiler. Compiling mirage-firewall won't work yet with 
the 4.04 series compilers because the version of mirage-xen in the repository 
only works with up to version 4.03. The code on mirage-xen's github page has 
been updated to work with 4.04 a while back, but a release roll up hasn't been 
pushed out to the repositories yet; not sure when that'll happen.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/811bb4e9-0f2a-46fa-96b8-7e8d1f6d190a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.