I am happy to announce that the latest release of Qubes Mirage Firewall has just been released (0.9.3). This release fixes BSD sys-net. The issue was reported by @nalea and leads to unusable fw.
You can update either manually (local compilation with podman/docker, or download from github, check hashsum, copy to dom0) or with the salt formula available on the github repository, or with @unman’s tool.
If you have any comments, please let us know, on this forum or on github.
Any chance mirage-firewall replaces the fully fledged debian/fedora OS for sys-firewall soon? Is mirage-firewall ready to offer the stability of operation required for such a role?
Thank you for your questions.
I can’t answer the first question, in order to replace sys-firewall as default, it will need some sort of code audit by the Qubes team (and the team already has a lot to do).
Regarding the second question, I use it as daily default firewall for years now and I don’t experience bad issues (and we try to help/fix everytime users report some issues).
We have, for the time being, a lower maximum bandwidth with TCP vs linux kernel, and I currently put the fault on the lack of TCP segmentation offload in mirage-xen. That would be a great improvment but it needs a big amount of work. Otherwise, for daily net usage I don’t feel any issue with it 
Any progress on IPv6 support? Mirage firewall is a godsend for minimized Qubes OS installs and the only issue preventing me from using it daily is lack of IPv6 support.
Thank you for raising this feature request.
As I am not using IPv6 in my Qubes laptop, this request has not been prioritised. Would you mind to explain the behaviour of the IPv6 firewall (e.g. NAT for all IPv6 traffic, NAT64, or traffic is forwarded as is)?