Packaged mirage firewall

I’ve updated the packaging of the mirage firewall to the latest version 0.9.3

The source is here, and the packaged
rpm is available from here, or by using the simple set up tool
This means that you can simply install the rpm in dom0, and it will
build you a mirage firewall. Why might you want this? It uses a tiny
amount of RAM, and boots very quickly.

You can start using it by setting the netvm of a qube to
mirage-firewall, instead of sys-firewall.

The mirage firewall cant be used as update proxy for dom0: you can keep
sys-firewall around for this purpose or provision any other qube

what’s the max ram in the mirage sys-firewall qube? Also, what’s the amount of vCPU’s that you’ve assigned to that qube?

Qubes-mirage-firewall is currently single core, so only 1vcpu is needed
The minimum recommended RAM size is 32MB, but you can increase that in the qube properties (e.g if you experience issues with a high number of clients).

These are amazing numbers. The 1vCPU sounds too good to be true. How well does it scale with the number of qubes that are online? For example, does 1 vCPU start to be a bottleneck after 20 qubes being online at the same time?

I’ve never tried to have so many clients active at the same time, I don’t have access to hardware that would allow me to automate such a scaling test
If that comes to be a bottleneck, I’d suggest to run more mirage-fw and split clients over them

interesting point. And then that would effeectively move the possible bottleneck up the chain to sys-net, I suppose.

From my observations, there is a slight overhead, in term of bandwidth, compared to linux (i.e. I currently have 240Mbps with mirage vs 270Mbps using linux sys-fw on fast.com), but the bottleneck seems to be the network performance rather than the cpu, none of my VMs are 100% during the tests.

Man, mirage should be offered as an option during qubesos install.

Not in my experience, but YMMV. It’s an amazing piece of work.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

Install seemed to fail the salt config for some reason:

Summary for local

Succeeded: 4 (changed=3)
Failed: 1

Total states run: 5
Total run time: 2.767 s
DOM0 configuration failed, not continuing
warning: %post(3isec-qubes-mirage-firewall-0.9.3-1.fc37.x86_64) scriptlet failed, exit status 1

Error in POSTIN scriptlet in rpm package 3isec-qubes-mirage-firewall
Verifying : 3isec-qubes-mirage-firewall-0.9.3-1.fc37.x86_64

More information please.
Did you already have the package installed in an earlier version?
Did you download the package and install, or use the tool?

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

Package was downloaded and installed directly. Looks like the salt installation in dom0 then threw a whole lot of errors during the config stage. I’ve not been happy with salt in dom0 as there have been anumber of issues, then fixes, then more issues. Until a couple weeks ago I was not able to get a simple Fedora appVM built with salt.

I use salt extensively, and dont have significant issues.
You might try the latest package - 0.9.4 - which installs fine with both
Fedora and Debian management qubes.

Yep, that new package has installed flawlessly. Nice job!