Dear community,
I want to use use mirage-firewall to make my proxy vm even more leak proof.
The name of my disposable firewall is ms-firewall.
Does anyone know how i can add nft firewall rules?
Tried to add them from dom0 in the config file but all i receive is ms-firewall: command failed with code: 1
qvm-run ms-firewall "nano /rw/config/qubes-firewall/firewall-user-rules.conf"
This is the command i used.
You want to not use Qubes firewall and qvm-firewall. but have custom
nftables rules in ms-firewall ?
What rules do you want to set?
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
Thank you for helping me.
I want to use the mirage os firewall in ms-firewall disposable qube and not the qubes default firewall.
I am, as always, open to correction, but I dont believe that you can do
that without rebuilding the mirage firewall.
That said, I’m trying to understand your rule set. What do you achieve
with these rules?
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
I agree with @unman that rules different from those that can be expressed with qvm-firewall would not work off the shelf.
@ryzenpro as the unikernel is only a firewall, you won’t be able to run nano, nor save rule files there. But it is possible to modify the kernel code to add a special redirection. For example, a user recently requested a nat redirect (from sys-net to a dedicated domU client), and I suggested maintaining a fork (see GitHub - palainp/qubes-mirage-firewall at manual-nat-bind).
As I don’t understand your rules, if custom-forward is similar to “forward packets received on this port to this client”, as the previous description, you should be able to modify the code. If not, the solution may be more complex and I can encourage you to open an issue on the github repository.
I’m a new Qubes User and i found this in a guide
With this current setup, the ProxyVM you have just created will be responsible for handling Firewall rules for the qubes behind it. This is not ideal, as this is still a fairly large VM, and there is a risk that Mullvad or some other apps may interfere with its firewall handling.
Instead, I highly recommend that you create a minimal Mirage FirewallVM and use it as a firewall behind the Mullvad ProxyVM. Other AppVMs then should use the Mirage Firewall as the net qube instead. This way, you can make sure that firewall rules are properly enforced.
I thought it’d be a good idea to use the mirage firewall and not the Qubes firewall to have a lower risk of any ip leaks because of the firewall.
The whole setup described in this guide makes sense?
If i had to modify the code of the mirage firewall is this hard for someone with only basic linux and network knowledge? I dont mind to learn something new in my free time.