Any suggestions for 16gb RAM laptop?

ellie_zh · June 3, 2026, 11:45am

I’m so thankful for all the answers you provided… really, helped a lot! The system runs way better now. I do have some questions left if you don’t mind

Any downsides with Mirage firewall? It doesn’t use default rules as sys-firewall(I don’t know much about firewalls) and doesn’t support linux ordinary nft rules and as a result I won’t be able to use some community guides - any workarounds?

Where can I find it?
3)

What should I do then, just install Tor as is in the template of choice and use it as disposable?
4)

video editing with CPU only?

barto · June 3, 2026, 12:40pm

It does use the same rules…

barto · June 3, 2026, 2:49pm

It does use the same rules

To illustrate, we start a dispVM using mirage-firewall as its netvm:

user@dom0:~$ qvm-ls disp2376
NAME      STATE    CLASS   LABEL  TEMPLATE     NETVM
disp2376  Running  DispVM  red    default-dvm  mirage-firewall

The default firewall settings are applied, and we can ping and browse to “dns.google” (8.8.8.8) :

user@dom0:~$ qvm-firewall disp2376 list
NO  ACTION  HOST  PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  -     -         -        -               -          -       -

[user@disp2376 ~]$ ping -c 3 dns.google
PING dns.google (8.8.8.8) 56(84) bytes of data.
64 bytes from dns.google (8.8.8.8): icmp_seq=1 ttl=114 time=28.0 ms
64 bytes from dns.google (8.8.8.8): icmp_seq=2 ttl=114 time=24.9 ms
64 bytes from dns.google (8.8.8.8): icmp_seq=3 ttl=114 time=24.1 ms

--- dns.google ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 24.050/25.667/28.045/1.717 ms
[user@disp2376 ~]$ 
[user@disp2376 ~]$ curl https://dns.google
<!DOCTYPE html>
<html lang="en"> <head> <title>Google Public DNS</title> [... truncated...] </html>
[user@disp2376 ~]$

Note that DNS and curl both work.

Now let’s remove the default Qubes firewall rule for this dispVM:

user@dom0:~$ qvm-firewall disp2376 del --rule-no 0
user@dom0:~$ qvm-firewall disp2376 list
NO  ACTION  HOST  PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
user@dom0:~$

Now DNS, ping, and curl don’t work any more on the dispVM:

[user@disp2376 ~]$ ping -c 3 dns.google
^C
[user@disp2376 ~]$ ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2030ms

[user@disp2376 ~]$ curl https://dns.google
^C
[user@disp2376 ~]$

Now let’s allow port 443/tcp to 8.8.8.8 :

user@dom0:~$ qvm-firewall disp2376 add action=accept proto=tcp dst4=8.8.8.8 dstports=443
user@dom0:~$  
user@dom0:~$ qvm-firewall disp2376 list
NO  ACTION  HOST        PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  8.8.8.8/32  tcp       443      -               -          -       -
user@dom0:~$

And, surprise-surprise, we can reach now https://8.8.8.8 from our dispVM! (but not https://dns.google, because DNS is still blocked, as is ping/icmp)

[user@disp2376 ~]$ curl https://dns.google
^C
[user@disp2376 ~]$ curl https://8.8.8.8
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://dns.google/">here</A>.
</BODY></HTML>
[user@disp2376 ~]$ ping -c 3 -w 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2062ms

palainp · June 3, 2026, 4:36pm

I do agree with @barto, qubes-mirage-fw is equivalent to sys-firewall regarding the qvm-firewall command.
However, as an unikernel, it does not support shell, nor nft command.

ellie_zh · June 3, 2026, 5:18pm

That’s nice that the defaults will be present, but what about setting the rules then? How would I apply some nft rules from some community guide without rebuilding the unikernel?

And @barto thank you for demonstration

barto · June 3, 2026, 5:43pm

You can set rules using the Qubes Manager GUI, or with “qvm-firewall”, as normal. No additional hardening is needed in a qube providing services equivalent to sys-firewall.

ellie_zh · June 3, 2026, 6:09pm

By GUI you mean qube’s settings to set firewall rules? And I can do any rule as if I would do that within the shell?

ellie_zh · June 4, 2026, 5:58am

Any AI that I asked about the firewall rules, said something like:
“Crucially, you cannot use the Qubes Firewall GUI or nft commands to apply rules; the Mirage unikernel ignores these inputs entirely”

I’m going to install and test it

barto · June 4, 2026, 6:21am

Yes!

Not all rules can be applied through the GUI. But this is true for any sys-firewall, not only Mirage. And you (most probably) only have to apply hardening rules once per vm/qube.

unman · June 4, 2026, 10:06am

This tells you more about AI than the mirage firewall, and the risks of
relying on AI. Always a good idea to test things for yourself.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.