I was under the mistaken impression that editing Mirage firewall rules involved editing the .ml files in OCaml, then recompiling the mirage kernel every time you wanted to change rules. This is why I was using Debian firewalls because that hurdle was like climbing a cliff for me.
I got that impression from a few forum posts and testing it way back when I first started playing around with this OS before understanding how firewalls work here (I directly edited the firewall rules of Mirage VMs, then sulked when that didn’t work).
Now that I’ve tested it without having a half-baked conception of how Qubes firewalls work, I realized that its configured just like regular VM firewalls. Massive thumbs ups to the Mirage team.
As much as I want to get to the bottom of this, I can only report my shallow probings (as in the previous post) as a technical breakdown is beyond my current abilities. My solution is to use Mirage, now that I’ve figured it out, as (AFAIK) unikernels are much more stable and reliable and I get the additional upside of having more free resources and a much smaller attack surface.
Thanks for putting up with me.