-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/27/18 16:40, 799 wrote:> The only thing I am struggling with is to install something so crucial > like a firewall which is not coming from the Qubes Team. For me as > a normal user it is hard to decide if qubes-mirage-firewall is > reasonable secure compared to the default sys-firewall.
Well, Thomas Leonard (talex) is a big open source contributor. Author reputation apart, an unikernel is a more secure than normal sys-firewall because it has tons of less complexity. An unikernel is a kernel running a single process with unique address space, without user system, etc... it only has the needed code/libs for running that single process. A normal linux distribution like standard sys-firewall has a lot of things not needed for the firewall task, even fedora-minimal has a lot of functions and complexity compared to mirage-firewall. Also, a pretty vulnerable part of standard Qubes is the network stack of linux. If a compromised sys-net has some exploit for that part of code, it is likely to scale from it to sys-firewall using the same explit and then to other AppVM's. So it is nice to have a total different system between. Another interesting difference is the programming language. Fedora or debian sys-firewall has millions of lines of C or similar code, where common security problems are relative easy to appear and hard to find and fix. mirage-firewall is mostly based on OCaml, a functional oriented language where this kind of programming errors are less likely to happen. > As far as I understand it is run a docker image (in dom0?). No. Docker is used in some AppVM for build the mirage-firewall image. I think docker is used for simplicity the build process. Once you have your kernel image you pass it to dom0 and just boot a new VM with that kernel. > is there any official feedback regarding the qubes-mirage-firewall > and what do the "Qubes Pro's" think about it.> If it is better, > then why hasn't it be integrated in the Qubes Image? Exists this issue: https://github.com/QubesOS/qubes-issues/issues/3792 There is a problem with current mirage-firewall, the rules are currently hard coded in the source. So you need to modify, rebuild and reboot the VM for change them. Also there is a fork which uses the module.img file (a dummy file in the other version) for save the rules: https://github.com/cfcs/qubes-mirage-firewall/tree/user_supplied_rules This way you can edit the rules without rebuild the whole image, but I think that you need to reboot the VM. When I discovered this I wanted to add compatibility with Qubes Manager for it, but it was pretty difficult with Qubes 3.2 format. Now I'm using Qubes 4, I would like to try again. > I will rebuild my sys-firewall from a fedora-26-minimal template > and try to see if I can reduce memory. > > Question: How can I check how much memory really is consumed? > > [user@dom0 ~]$ xl list [...] sys-firewall shows 1.638 MB > > > [user@sys-firewall ~]$ free -h total used free > shared buff/cache available Mem: 1.4G 133M > 882M 2.9M 454M 1.1G Swap: 1.0G 0B > 1.0G > > Does this mean that only 133 MB is currently used by sys-firewall? > > Maybe I made the mistake trusting the numbers in dom0: xl list? sys-firewall has 1.4G asigned but only 133M used and 454M cached (probably during boot process). It has 882M free and it (and part of the cached) will be reduced when other VM needs more memory. If you want try to stress your system opening disposable VM's to see if it gets reduced. I have it with default setup (500min 4000max) and currently it reports: [user@sys-firewall ~]$ free -h total used free shared buff/cache available Mem: 348M 165M 94M 2.6M 88M 48M Swap: 1.0G 14M 1.0G -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlsK3J4ACgkQFBMQ2OPt CKUI7hAAt6GuZqV5/4J6UsPwv8K+EQcE2huPq3l5f/psY5KfSLVNqIGXS5nW9sT2 Q1/ZsyYyGD59B6w2+O+eu3oLCMluMJoS12lq8ZHUEpoyPsbolX62eGxlS6nDMKL/ Yd1fZE4i4PwBNxvBGOQnCos+p44+lc0kiQDTq4NLPadNXICQoyzsvTY0P0ck+V+m jeDrueSY4g/n2+33he8NaNNe+kiMm7Eo6huyCeSFMDYk+QWp8wPbHH7s4+wfoP/h niAHOD9g/bNORWOXEiz7iUSq7T3ZDcsyVyJxs10Avvx/ZYQXcxaxbIYx1ZNIMuOL M5JDvRw8D0oK2tU6ee9Yal38DnK1eN3RKMNBdlxWpKD1ZwW3TpWMH25YD5OdbnpT fE1yjvjW3N0clO99dt7CNkjD5m09fO63gqq4KFyXr51hUqu1ZANtzr7Sky55QgZy OXmqZsbG9dRa5RFN/bUAQs3LK5WhEwzVcIxRyXsiPuGQQk0qFn0rH/7PEKr6/1sq 9vw6QrlDCFEzfxZEL6Vh3KQ0+8dXZACgwFTg/vo/nP7qvuIkFpLeUHNxKluMyLdi OMPWwNcl7UZN9ojPQg2X2b8qYisw1IgD1UPmPRjm3lmhe5lDlxIFfIyfqJRlfht8 ktxMkRWzfufBG2S5dwCzYbSAKJB/oNd4SKEOowUfWlfDTwpaNHI= =OKVC -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b08c85b4-359a-49be-099e-ac279b096695%40riseup.net. For more options, visit https://groups.google.com/d/optout.