Mirage-firewall 0.8.3 released

I am pleased to announce that a release of Qubes Mirage Firewall is just out (0.8.3) which should solve some of the recent annoying problems: Release autumn 2022 bugfixes · mirage/qubes-mirage-firewall · GitHub
You will also find the reproducible builds at Robur soon: Job qubes-firewall

I really want to thank everyone for tracking bugs and fixing issues for this release!

If you have any comments, please let us know, on this forum or on github.

The next step is to propose the firewall for integration into the Qubes Community Repository!

14 Likes

Thanks for all of the work that you’re putting into this @palainp ! Can’t wait for when mirage-fw is integrated into the qubes-community repos.

4 Likes

That was fast! I did some quick tests and everything seems to be in working order (at 32MB RAM per firewall). Thank you, @palainp

2 Likes

Hello. I’ve read about Mirage-firewall, and beside pros I noticed that the biggest con for me to use it would be a drop in bandwith for a fast internet connection. Can someone bring in more details about it, please?

2 Likes

I would especially want to thank Hannes who worked for a long time on this firewall and really a lot on the last version which made it possible to release it quickly.

As for the drop in bandwidth my current tests are with iperf3 server and client in two AppVM on the same laptop connected by a Mirage/Linux firewall.
Iperf3 burn my cpu (core i5 8th) to 100% on the firewall VM or on one side of iperf in each case (so this is the bottleneck right now in that experience). Mirage have a bandwitch around 73% of Linux for TCP (510Mbits/s vs 700Mbits/s), and around 90% for UDP (660Mbits/s vs 730Mbits/s) (Slower bandwidth compared to sys-firewall · Issue #130 · mirage/qubes-mirage-firewall · GitHub). There’s of course some work to be done here for investigating bottlenecks :slight_smile:

Beside that experiment, for my daily usage (web, mail, visio with teams/zoom) this is not noticeable at all (the CPU usage is really low and the CPU is not the bottleneck there).

7 Likes

This is exciting! Thank you @palainp and Hannes.
How does mirage-fw get added to the community repo (i.e. how can qubes users follow process or help)? Sorry if sound impatient just very interested.

2 Likes

Thanks!

So far, following the Qubes intergation process, we’re at step 4 and you can follow the issue: [Contribution] Qubes-mirage-firewall kernel or template · Issue #7884 · QubesOS/qubes-issues · GitHub.

6 Likes

Anyone on here using the 0.8.3 build with a VPN connection, and if so are there any issues?

I just tried a Cisco VPN with this setting:
AppVM → mirage-fw → vpn (with openconnect to https://…) → mirage-fw2 → sys-net
Which works correctly (I have the VPN ip in AppVM from the outside POV).
I can also try with a Fortinet VPN (openfortivpn to https://…), but I unfortunately have no access to an OpenVPN server.
EDIT: I can confirm that it works too with the setting:
AppVM → mirage-fw → vpn (with openfortivpn to https://…) → mirage-fw2 → sys-net

3 Likes

Can you please explain the use two fwall sys’

Those does not serve any purpose but testing. Of course, you can remove any of them in the setup :wink:

You can filter domains accessible by AppVM in mirage-fw, and domains accessible by your VPN client in mirage-fw2. I can’t remember where but a qmf user reported that having mirage-fw before or after the VPN works and the other doesn’t, so here I tried both.

1 Like

That was me in the previous thread.

I have one MFW (fitting acronym for this firewall, btw) in front of and behind the Wireguard VM. The one upstream was working fine since it was using IP addresses as inputs. When I tested 0.8.3 I had the same setup and everything works fine, so you can also report that MFW works with Wireguard as well.

Also, in the previous thread I noted that the test browser VM stopped working, but it turns out that was due to me not putting in the right address for DNS-over-HTTPS (it wasn’t 1.1.1.1 @ 443).

I mention this because even though I accidentally got to the correct answer (DNS issues with MFW), the process used to get there was somewhat faulty and I just got lucky.

2 Likes