Qubes-mirage-firewall

huaopeng · March 31, 2023, 3:38am

Has anybody here experience with installing the mirageOS firewall?

Here is the article:

Was able to install, but trying to complete the qrexec, gui, and qubesDB protocol config scripts

Do these need to be typed into newly created files?

palainp · April 2, 2023, 5:25am

This article is pretty old, you should check issues and missing features directly on the github repository.

Actually we removed the gui part a couple of month ago (Remove GUI code · Issue #62 · mirage/qubes-mirage-firewall · GitHub).

For qrexec and qubesDB, you will have to implement the code for your needs in command.ml and dao.ml.

huaopeng · April 2, 2023, 6:53pm

I you have to create those files and type the OCaml code?

huaopeng · April 2, 2023, 7:46pm

Will the mirage-firewall VM work without those components.

palainp · April 2, 2023, 8:03pm

It works for me as a daily fw, but if you have special needs, you might need to add some Ocaml code yes.

huaopeng · April 2, 2023, 8:27pm

I mean it doesn’t function with xen/qubes without the qubesdb and qrexec Qubes-related dependencies.

palainp · April 3, 2023, 9:43am

Not sure what is your background with mirageOS and if you want to write your own mirage-unikernel or just use qubes-mirage-firewall (qubes-mirage-firewall should work without any special code addition, except for new/specific needs).

To write your own unikernel, maybe you can try out the “hello world” unikernel following the instructions at https://mirage.io/docs/hello-world:

first try with unix target (mirage configure -t unix) to be sure that the build suite works well,
then with qubes target (mirage configure -t qubes). This should produce an unikernel that can be run as qubes-mirage-firewall kernel (copy to dom0 at the right place and start the AppVM).

Qubes-mirage-firewall is a bit different as it directly includes the Qubes-related code (and the target should be xen instead of qubes). But once you’re familiar with mirageOS, you can check in command.ml and dao.ml (in GitHub - mirage/qubes-mirage-firewall: A Mirage firewall VM for QubesOS) how the interaction with qrexec and qubesDB is done.

augsch · April 10, 2023, 11:18am

Hi @palainp , I really apprieciate you and others work on qubes-mirage-firewall, and I’m actively using it. However, I encountered one problem.

If I set the Windows10 AppVM’s netvm to mirage-fw, the windows qube won’t boot correctly. It will stuck at where it shows a windows logo.

How can I troubleshoot this problem? If you need logs, I’ll strive to retrive them from the windows qube. Thanks!

huaopeng · April 10, 2023, 2:55pm

where did you download the mirage-fw image?

huaopeng · April 10, 2023, 2:59pm

Download the version from Github as it includes:

qrexec (remote command execution), gui (displaying windows on the dom0 desktop) and QubesDB (a key-value store).

palainp · April 11, 2023, 7:42am

Hi, thanks for your report, and unfortunately it works on my laptop (the VM is booting and running fine).

The only thing I spotted was some multicast traffic on ports UDP:5353->5353 and UDP:random->3702, you may have them too and you can check for:

WRN [firewall] Failed to add NAT rewrite rule: Cannot NAT this packet (IPv4 packet X.X.X.X -> 224.0.0.X.....
UDP port 5353 -> 5353 with payload ....

Both flows may be related to the AD environment in which my Windows VM is integrated. (I’m not a Windows expert and I’m not sure about this point so far).

To try to go forward with your issue, you could check for multicast traffic, as it’s currently not NATed (RFC says to leave the IP header intact RFC 5135 - IP Multicast Requirements for a Network Address Translator (NAT) and a Network Address Port Translator (NAPT)) and the Qubes IP address might mismatch something outside your computer (my Windows VM has a real address in Qubes Manager and not a “Qubes range” (10.13X.0.X) address).