Re: [qubes-users] qubes-mirage-firewall 0.7

2020-05-27 Thread 'hut7no' via qubes-users 
Thank you so much for your work, I have saved so much time and memory because 
of your amazing firewall!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200527180038.GC805%40mail2-dvm.

Re: [qubes-users] qubes-mirage-firewall 0.7

2020-05-25 Thread bernhard haak 

On 5/19/20 3:11 PM, sschi...@gmail.com wrote:

I'm pleased to announce the release of qubes-mirage-firewall 0.7:

  https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.7 



I try to build on buster, but already new-docker fails.

DKMS: install completed.
Building initial module for 4.19.120-1.pvops.qubes.x86_64
Error! Bad return status for module build on kernel: 
4.19.120-1.pvops.qubes.x86_64 (x86_64)
Consult /var/lib/dkms/aufs/4.19+20190211/build/make.log for more 
information.

dpkg: error processing package aufs-dkms (--configure):
 installed aufs-dkms package post-installation script subprocess 
returned error exit status 10

Errors were encountered while processing:
 aufs-dkms


If I ignore it, (docker is installed, but incomplete), the build fails, 
without surprise. Someone has a hint on that?  Cheers, Bernhard


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b8f1d893-192b-7722-4962-18bb14cfce33%40free.fr.

Re: [qubes-users] qubes-mirage-firewall 0.7

2020-05-25 Thread dhorf-hfref . 4a288f10 
On Mon, May 25, 2020 at 02:23:08AM -0700, sschi...@gmail.com wrote:
> On Saturday, 23 May 2020 17:24:42 UTC+2, qubeslover wrote:
> Is there any plan to create a package for Qubes Dom0 repo for the future?
> We are planning to collaborate with Qubes folks on packaging it. 

there is
https://github.com/QubesOS/qubes-builder/blob/master/example-configs/mirage.conf
which builds mirage firewall (and ssh-agent) as a template-vm, 
which reduces the problem to the more generic "how to ship/install 
a template" (which can be handled entirely outside dom0 already)
as opposed to the very mirage-specific "how to install a vm-kernel in
dom0" (which is very dom0 oriented).

it actualy works well enough, i have been building+deploying all my
mirage vms for more than a year this way.

there are some points left to improve:

1) how to include vm-specific prefs/feats with a template pkg.
   this mainly needs a way for a vm-specific builder to include
   a file in the final rpm, and that isnt really straightforward
   since the rpm-builder and vm-builder are like three layers of
   abstraction apart.

2) "@tag:buildvm @tag:created-by-@srcvm allow" in qubesrpc-policy.
   the "reference srcvm in dstvm spec" part doesnt exist.

3) automated way to create the pvgrub vm-kernel entry. (probably salt)

4) polishing. (which doesnt make too much sense as long as 1-3 are open)

these are not actualy required, but would make the whole thing a lot
more userfriendly.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200525100335.GU1079%40priv-mua.

Re: [qubes-users] qubes-mirage-firewall 0.7

2020-05-25 Thread sschirme 


On Saturday, 23 May 2020 17:24:42 UTC+2, qubeslover wrote:

Is there any plan to create a package for Qubes Dom0 repo for the future?
>

Thanks for your interest! We are planning to collaborate with Qubes folks 
on packaging it. 
There is no timeline yet, stay tuned. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b5aac67d-477c-4314-9bb3-cff0d5cb713a%40googlegroups.com.

Re: [qubes-users] qubes-mirage-firewall 0.7

2020-05-23 Thread 'qubeslover' via qubes-users 
Sent with [ProtonMail](https://protonmail.com) Secure Email.

‐‐‐ Original Message ‐‐‐
On Tuesday, May 19, 2020 3:11 PM,  wrote:

> I'm pleased to announce the release of qubes-mirage-firewall 0.7:
>
> [ 
> https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.7](https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.7)
>
> This is a unikernel that can run as a QubesOS ProxyVM, replacing 
> sys-firewall. It may be useful if you want something smaller or 
> faster-to-start than the Linux-based sys-firewall. It requires around 64MB of 
> RAM when running and requires "0.0s" of CPU time to boot, according to "xl 
> list". It does not need or use a hard-disk, and does not persist any state 
> between reboots.

Excellent!

Built it in a Debian VM, copied the mirage-firewall kernel to Dom0, created a 
dedicated standalone VM (only 32Mb) and works great! (I am testing it as main 
firewall and so far no problem).

Is there any plan to create a package for Qubes Dom0 repo for the future?

Cheers.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2GoCgPKzAj2UK9VRXtej4f7NRtYn5od5gD-LC0LhspPQ18r2UJhRtxP829noXMBw104u_MynuuCqvRdtXs-Baug3gQXpmKeTO_OGabWsiNQ%3D%40protonmail.com.

[qubes-users] qubes-mirage-firewall 0.7

2020-05-19 Thread sschirme 
I'm pleased to announce the release of qubes-mirage-firewall 0.7:

 https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.7 



This is a unikernel that can run as a QubesOS ProxyVM, replacing 
sys-firewall. It may be useful if you want something smaller or 
faster-to-start than the Linux-based sys-firewall. It requires around 64MB 
of RAM when running and requires "0.0s" of CPU time to boot, according to 
"xl list". It does not need or use a hard-disk, and does not persist any 
state between reboots.


For installation instructions, see:

  https://github.com/mirage/qubes-mirage-firewall/blob/master/README.md


To upgrade from an earlier release, just overwrite 
/var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz in dom0 with the new 
version and restart the firewall VM.


This version adapts qubes-mirage-firewall with

   - dynamic rulesets via QubesDB (as defined in Qubes 4.0), and
   - adds support for DNS hostnames in rules, using the pf-qubes library 
   for parsing.

The DNS client is provided by DNS (>= 4.2.0) which uses a cache for name 
lookups. Not every packet will lead to a DNS
lookup if DNS rules are in place.

A test unikernel is available in the test subdirectory.

This project was done by @linse  and @yomimono 
 in summer 2019, see PR #96 
.


Additional changes and bugfixes:

   - 
   
   Support Mirage 3.7 and mirage-nat 2.0.0 (@hannesm 
   , #89 
   ).
   The main improvement is fragmentation and reassembly support.
   - 
   
   Use the smaller OCurrent images as the base for building the Docker 
   images (@talex5 , #80 
   ).
   - Before: 1 GB (ocaml/opam2:debian-10-ocaml-4.08)
  - Now: 309 MB (ocurrent/opam:alpine-3.10-ocaml-4.08)
   - 
   
   Removed unreachable Lwt.catch (@hannesm , #90 
   ).
   
Documentation:

   - 
   
   Add note that AppVM used to build from source may need a private image 
   larger than the default 2048MB (@marmot1791 
   ,
   #83 ).
   - 
   
   README: create the symlink-redirected docker dir (@xaki23 
   , #75 
   ). Otherwise, 
   installing the docker package removes t
   he dangling symlink.
   - 
   
   Note that mirage-firewall cannot be used as UpdateVM (@talex5 
   , #68 
   ).
   - 
   
   Fix ln(1) call in build instructions (@jaseg , 
   #69 ). The 
   arguments were backwards.
   
Keeping up with upstream changes:

   - 
   
   Support mirage-3.7 via qubes-builder (@xaki23 
   , #91 ).
   - 
   
   Remove unused Clock argument to Uplink (@talex5 
   , #90 
   ).
   - 
   
   Rename things for newer mirage-xen versions (@xaki23 
   , #80 
   ).
   - 
   
   Adjust to ipaddr-4.0.0 renaming _bytes to _octets (@xaki23 
   , #75 
   ).
   - 
   
   Use OCaml 4.08.0 for qubes-builder builds (was 4.07.1) (@xaki23 
   , #75 
   ).
   - 
   
   Remove netchannel pin as 1.11.0 is now released (@talex5 
   , #72 
   ).
   - 
   
   Remove cmdliner pin as 1.0.4 is now released (@talex5 
   , #71 
   ).
   


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0fe88cf5-4013-4fd7-9560-2bc39a5d6a6c%40googlegroups.com.