Qubes-mirage-firewall RC-like update

palainp · March 17, 2025, 10:37am

Dear community,
I plan to push Ocaml 5+ ecosystem for Qubes-mirage-firewall soon, before continuing development. We don’t have RC releases with Qubes-mirage-firewall, but if you want to try and help find bugs before the next release, you can test:

the latest version of Ocaml 4 is the current version and has not yet been released on GitHub - mirage/qubes-mirage-firewall: A Mirage firewall VM for QubesOS (no code changes in the firewall itself since latest release, but some updates in the ecosystem)
the future version of Ocaml 5 is the branch at GitHub - palainp/qubes-mirage-firewall at ocaml-53 (no code changes in the firewall itself but a lot of changes in the ecosystem)

For both repositories, you can run:

sudo dnf install podman -y && \
git clone <the chosen repository> && \
cd qubes-mirage-firewall && \
./build-with.sh podman

This will build dist/qubes-firewall.xen which you can copy into dom0 as a regular update.
Any help and/or feedback will be greatly appreciated

Based on lastest feedbacks, and after the next release I’ll start to work on:

IPv6 support
port redirection support

qEawma5f · March 17, 2025, 9:01pm

Hello,

Thank you for your work! I’m all set to test the mirage-firewall and will let you know if I encounter any issues. I will also test ProtonVPN to see if I run into the same problems I had with MullvadVPN, as I have a subscription.

Thanks!

qEawma5f · March 24, 2025, 2:10am

@palainp Does mirageos-firewall store data on the drive, or is it only in RAM?

palainp · March 24, 2025, 5:54am

There is no persistance nor configuration from the disk. The only mutable things are the connected clients configuration and their firewall rules. Those are read from QubesDB dynamically at runtime and everything is in RAM.

qEawma5f · March 30, 2025, 7:52pm

Can confirm, protonvpn is working without any issues.