Mirage-firewall 0.8.2 broken; new users should install 0.8.1

User Support
1

This is a follow-up to the Mirage 0.8.0 release post. I think this deserves its own post purely for visibility.

 

The latest release of Mirage has a constellation of crippling issues and should not be installed. New users should be advised to install 0.8.1 until said issues are resolved.

I’m not sure if the issues have been fully enumerated in its Github Issues, but the ones that I’ve encountered have been striking to me, a long-time Mirage FW user. Please note that some of the issues below might be due to the specifics of my configuration, as well as the fact that I am not a technically-trained person and have not done any thorough investigation.

  1. Upon any change in firewall parameters, consumes all CPU resources allocated to it and stops sending data downstream. Tested via both firewall GUI and CLI.

  2. When the above occurs, any attempt to shut down this version leads to Qubes Manager freezing, necessitating the killing of both processes.

  3. Seeming inability to resolve DNS-over-HTTPS requests and/or issues with DNS resolution in general

 

As there are no stated security improvements in this new version compared, and the amount of memory saved is relatively small (32 MB per firewall), there is little that is lost by not updating.

2

I think you should report this issue on their bug tracker Issues · mirage/qubes-mirage-firewall · GitHub

3

Unfortunately, I don’t have a Github account for that

4

I’ll see if I can reproduce, check what’s already there, and raise new
issue if needed with credit to you.

2 Likes
5

That’s nice of you–thanks
I don’t need the credit, so you can have it if you want since you’re taking the time to reproduce it

Some extra information that might be relevant to reproduction. This isn’t exhaustive since I can’t remember everything:

  1. Downloaded the release instead of building from source

  2. Qubes OS latest and fully updated. dom0 kernel 5.16, if it matters.

  3. Mirage VM settings same as in its readme.md instructions (32 MB RAM, though same issues even with 64+ MB)

  4. On test browser VM, edited running firewall via GUI (whitelist * port:443) → (whitelist google.com port:443 and/or other test sites like github.com). Test browser VM uses DNS over HTTPS. Sites stop working and Mirage crashes (see point 8)

  5. https://1.1.1.1/help worked for a bit after setting FW to whitelist the IP, but seemed unstable.

  6. Mirage FW in front of VPN VM working fine this whole time, probably due to firewall using IPs, so no need for DNS. This, and the point above, is why I suspect DNS issues. Additionally, changing this VM’s parameters while running also leads to crashes

  7. Replicated tests via qvm-firewall commands. Experimented with disabling and enabling dns and icmp there, but the same issues appeared

  8. Experimentation was costly–changes in parameters led to xentop showing Mirage eating up all available CPU resources and refusing to shutdown

6

Hi, thanks for reporting this issue!

It seems to be fixed (in pending PRs) and the fix should be included in the next release with other issues.

In the meantime, as you said it’s probably better to stick with 0.8.1 when using domain names in the firewall rules.

2 Likes
7

You’re welcome, and thank you for all your hard work on this wonderful little firewall!