Job qubes-firewall on freebsd-12

README

Skip to builds

qubes-mirage-firewall

A unikernel that can run as a QubesOS ProxyVM, replacing sys-firewall. It uses the mirage-qubes library to implement the Qubes protocols.

See A Unikernel Firewall for QubesOS for more details.

Binary releases

Pre-built binaries are available from the releases page. See the Deploy section below for installation instructions.

Build from source

Note: The most reliable way to build is using Docker. Fedora 35 works well for this and Debian 11 also works, but you'll need to follow the instructions at docker.com to get Docker (don't use Debian's version).

Create a new Fedora-35 AppVM (or reuse an existing one). In the Qube's Settings (Basic / Disk storage), increase the private storage max size from the default 2048 MiB to 4096 MiB. Open a terminal.

Clone this Git repository and run the build-with-docker.sh script:

mkdir /home/user/docker
sudo ln -s /home/user/docker /var/lib/docker
sudo dnf install docker
sudo systemctl start docker
git clone https://github.com/mirage/qubes-mirage-firewall.git
cd qubes-mirage-firewall
sudo ./build-with-docker.sh

This took about 10 minutes on my laptop (it will be much quicker if you run it again). The symlink step at the start isn't needed if your build VM is standalone. It gives Docker more disk space and avoids losing the Docker image cache when you reboot the Qube.

Note: the object files are stored in the _build directory to speed up incremental builds. If you change the dependencies, you will need to delete this directory before rebuilding.

It's OK to install the Docker package in a template VM if you want it to remain after a reboot, but the build of the firewall itself should be done in a regular AppVM.

You can also build without Docker, as for any normal Mirage unikernel; see the Mirage installation instructions for details.

The Docker build fixes the versions of the libraries it uses, ensuring that you will get exactly the same binary that is in the release. If you build without Docker, it will build against the latest versions instead (and the hash will therefore probably not match). However, it should still work fine.

Deploy

If you want to deploy manually, unpack mirage-firewall.tar.bz2 in domU. The tarball contains vmlinuz, which is the unikernel itself, plus a dummy initramfs file that Qubes requires:

[user@dev ~]$ tar xjf mirage-firewall.tar.bz2

Copy vmlinuz to /var/lib/qubes/vm-kernels/mirage-firewall directory in dom0, e.g. (if dev is the AppVM where you built it):

[tal@dom0 ~]$ mkdir -p /var/lib/qubes/vm-kernels/mirage-firewall/
[tal@dom0 ~]$ cd /var/lib/qubes/vm-kernels/mirage-firewall/
[tal@dom0 mirage-firewall]$ qvm-run -p dev 'cat mirage-firewall/vmlinuz' > vmlinuz

Finally, create a dummy file required by Qubes OS:

[tal@dom0 mirage-firewall]$ gzip -n9 < /dev/null > initramfs

Run this command in dom0 to create a mirage-firewall VM using the mirage-firewall kernel you added above

qvm-create \
  --property kernel=mirage-firewall \
  --property kernelopts='' \
  --property memory=64 \
  --property maxmem=64 \
  --property netvm=sys-net \
  --property provides_network=True \
  --property vcpus=1 \
  --property virt_mode=pvh \
  --label=green \
  --class StandaloneVM \
  mirage-firewall

qvm-features mirage-firewall qubes-firewall 1
qvm-features mirage-firewall no-default-kernelopts 1

Upgrading

To upgrade from an earlier release, just overwrite /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz with the new version and restart the firewall VM.

Configure AppVMs to use it

You can run mirage-firewall alongside your existing sys-firewall and you can choose which AppVMs use which firewall using the GUI. To configure an AppVM to use it, go to the app VM's settings in the GUI and change its NetVM from default (sys-firewall) to mirage-firewall.

You can also configure it by running this command in dom0 (replace my-app-vm with the AppVM's name):

qvm-prefs --set my-app-vm netvm mirage-firewall

Alternatively, you can configure mirage-firewall to be your default firewall VM.

Note that by default dom0 uses sys-firewall as its "UpdateVM" (a proxy for downloading updates). mirage-firewall cannot be used for this, but any Linux VM should be fine. https://www.qubes-os.org/doc/software-update-dom0/ says:

The role of UpdateVM can be assigned to any VM in the Qubes VM Manager, and there are no significant security implications in this choice. By default, this role is assigned to the firewallvm.

Components

This diagram show the main components (each box corresponds to a source .ml file with the same name):

Ethernet frames arrives from client qubes (such as work or personal) or from sys-net. Internet (IP) packets are sent to firewall, which consults the NAT table and the rules from QubesDB to decide what to do with the packet. If it should be sent on, it uses router to send it to the chosen destination. client_net watches the XenStore database provided by dom0 to find out when clients need to be added or removed.

The boot process:

  • config.ml describes the libraries used and static configuration settings (NAT table size). The mirage tool uses this to generate main.ml.
  • main.ml initialises the drivers selected by config.ml and calls the start function in unikernel.ml.
  • unikernel.ml connects the Qubes agents, sets up the networking components, and then waits for a shutdown request.

Easy deployment for developers

For development, use the test-mirage scripts to deploy the unikernel (qubes_firewall.xen) from your development AppVM. This takes a little more setting up the first time, but will be much quicker after that. e.g.

$ test-mirage qubes_firewall.xen mirage-firewall
Waiting for 'Ready'... OK
Uploading 'dist/qubes-firewall.xen' (7454880 bytes) to "mirage-test"
Waiting for 'Booting'... OK
Connecting to mirage-test console...
Solo5: Xen console: port 0x2, ring @0x00000000FEFFF000
            |      ___|
  __|  _ \  |  _ \ __ \
\__ \ (   | | (   |  ) |
____/\___/ _|\___/____/
Solo5: Bindings version v0.7.3
Solo5: Memory map: 64 MB addressable:
Solo5:   reserved @ (0x0 - 0xfffff)
Solo5:       text @ (0x100000 - 0x31bfff)
Solo5:     rodata @ (0x31c000 - 0x386fff)
Solo5:       data @ (0x387000 - 0x544fff)
Solo5:       heap >= 0x545000 < stack < 0x4000000
2022-08-13 14:55:38 -00:00: INF [qubes.rexec] waiting for client...
2022-08-13 14:55:38 -00:00: INF [qubes.gui] waiting for client...
2022-08-13 14:55:38 -00:00: INF [qubes.db] connecting to server...
2022-08-13 14:55:38 -00:00: INF [qubes.db] connected
2022-08-13 14:55:38 -00:00: INF [qubes.db] got update: "/mapped-ip/10.137.0.20/visible-ip" = "10.137.0.20"
2022-08-13 14:55:38 -00:00: INF [qubes.db] got update: "/mapped-ip/10.137.0.20/visible-gateway" = "10.137.0.23"
2022-08-13 14:55:38 -00:00: INF [qubes.rexec] client connected, other end wants to use protocol version 3, continuing with version 2
2022-08-13 14:55:38 -00:00: INF [unikernel] QubesDB and qrexec agents connected in 0.041 s
2022-08-13 14:55:38 -00:00: INF [dao] Got network configuration from QubesDB:
            NetVM IP on uplink network: 10.137.0.4
            Our IP on uplink network:   10.137.0.23
            Our IP on client networks:  10.137.0.23
            DNS resolver:               10.139.1.1
2022-08-13 14:55:38 -00:00: INF [net-xen frontend] connect 0
2022-08-13 14:55:38 -00:00: INF [net-xen frontend] create: id=0 domid=1
2022-08-13 14:55:38 -00:00: INF [net-xen frontend]  sg:true gso_tcpv4:true rx_copy:true rx_flip:false smart_poll:false
2022-08-13 14:55:38 -00:00: INF [net-xen frontend] MAC: 00:16:3e:5e:6c:00
2022-08-13 14:55:38 -00:00: INF [ethernet] Connected Ethernet interface 00:16:3e:5e:6c:00
2022-08-13 14:55:38 -00:00: INF [ARP] Sending gratuitous ARP for 10.137.0.23 (00:16:3e:5e:6c:00)
2022-08-13 14:55:38 -00:00: INF [ARP] Sending gratuitous ARP for 10.137.0.23 (00:16:3e:5e:6c:00)
2022-08-13 14:55:38 -00:00: INF [udp] UDP layer connected on 10.137.0.23
2022-08-13 14:55:38 -00:00: INF [dao] Watching backend/vif
2022-08-13 14:55:38 -00:00: INF [memory_pressure] Writing meminfo: free 52MiB / 59MiB (87.55 %)

Testing if the firewall works

A unikernel which tests the firewall is available in the test/ subdirectory. To use it, run test.sh and follow the instructions to set up the test environment.

Security advisories

See issues tagged "security" for security advisories affecting the firewall.

LICENSE

Copyright (c) 2019, Thomas Leonard All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Builds

Back to readme

Including failed builds here.