Giter Site home page Giter Site logo

sonertari / utmfw Goto Github PK

View Code? Open in Web Editor NEW
141.0 11.0 30.0 32.16 MB

UTM Firewall on OpenBSD

License: GNU General Public License v3.0

HTML 10.77% Perl 1.30% Shell 2.46% Makefile 0.47% PHP 84.19% Tcl 0.07% CSS 0.58% Gherkin 0.18%
utm firewall openbsd ssl-inspection sslproxy web-filter anti-virus anti-spam ids ips packet-filter web-ui androdi-ui windows-ui installation-iso pfre notifications utmfw pffw

utmfw's Introduction

UTMFW

UTMFW is a UTM firewall running on OpenBSD. UTMFW is expected to be used on production systems. The UTMFW project provides a Web User Interface (WUI) for monitoring and configuration. You can also use the Android application A4PFFW, which can display the notifications sent from UTMFW, and the Windows application W4PFFW for monitoring.

UTMFW is an updated version of ComixWall. However, there are a few major changes, such as SSLproxy, Snort Inline IPS, PFRE, E2Guardian, many fixes and improvements to the system and the WUI, Firebase push notifications, and network user authentication. Also note that UTMFW 7.4 comes with OpenBSD 7.4-stable including all updates until February 19th, 2024.

UTMFW supports deep SSL inspection of HTTP, POP3, and SMTP protocols. SSL/TLS encrypted traffic is decrypted by SSLproxy and fed into the UTM services: Web Filter, POP3 Proxy, SMTP Proxy, and Inline IPS (and indirectly into Virus Scanner and Spam Filter through those UTM software). These UTM software have been modified to support the mode of operation required by SSLproxy.

Dashboard

You can find a couple of screenshots on the wiki.

Download

The UTMFW project releases three installation files:

  • The installation iso file for the amd64 arch is available for download at utmfw74_20240225_amd64.iso. Make sure the SHA256 checksum is correct: d873b37dbca4d58ff5511a025a631fd52a80a467786bee2ef06a1cf54a386d2b.

  • The installation img file for the amd64 arch is available for download at utmfw74_20240225_amd64.img. Make sure the SHA256 checksum is correct: 35d379780015999864086b812b3d36658c15be97dc14d3eedb6e700aa655d5c7.

  • The installation img file for the arm64 arch is available for download at utmfw74_20240225_arm64.img. Make sure the SHA256 checksum is correct: 14b9062c59362d18615bf3fe958d584cef2ea8850369b3e3f88a295f931713a9. The only arm64 platform supported is Raspberry Pi 4 Model B.

Features

UTMFW includes the following software, alongside what is already available on a basic OpenBSD installation:

  • SSLproxy: Transparent SSL/TLS proxy for deep SSL inspection
  • PFRE: Packet Filter Rule Editor
  • E2Guardian: Web filter, anti-virus using ClamAV, blacklists
  • Snort: Intrusion detection and inline prevention system, with the latest rules
  • SnortIPS: Passive intrusion prevention software
  • ClamAV: Virus scanner with periodic virus signature updates
  • SpamAssassin: Spam scanner
  • P3scan: Anti-virus/anti-spam transparent POP3 proxy
  • Smtp-gated: Anti-virus/anti-spam transparent SMTP proxy
  • Dante: SOCKS proxy
  • IMSpector: IM proxy which supports IRC and others.
  • OpenVPN: Virtual private networking
  • Symon: System monitoring software
  • Pmacct: Network monitoring via graphs
  • Collectd: System metrics collection engine
  • Dnsmasq: DNS forwarder
  • PHP

Console

The web user interface of UTMFW helps you manage your firewall:

  • Dashboard displays an overview of system status using graphs and statistics counters. You can click on those graphs and counters to go to their details on the web user interface.
  • Notifier sends the system status as Firebase push notifications to the Android application, A4PFFW.
  • System, network, and service configuration can be achieved on the web user interface.
  • Pf rules are maintained using PFRE.
  • Information on hosts, interfaces, pf rules, states, and queues are provided in tabular form.
  • System, pf, network, and internal clients can be monitored via graphs.
  • Logs can be viewed and downloaded on the web user interface. Compressed log files are supported.
  • Statistics collected over logs are displayed in bar charts and top lists. Bar charts and top lists are clickable, so you don't need to touch your keyboard to search anything on the statistics pages. You can view the top lists on pie charts too. Statistics over compressed log files are supported.
  • The web user interface provides many help boxes and windows, which can be disabled.
  • Man pages of OpenBSD and installed software can be accessed and searched on the web user interface.
  • There are two users who can log in to the web user interface. Unprivileged user does not have access rights to configuration pages, thus cannot interfere with system settings, and cannot even change user password (i.e. you can safely give the unprivileged user's password to your boss).
  • The web user interface supports languages other than English: Turkish, Chinese, Dutch, Russian, French, Spanish.
  • The web user interface configuration pages are designed such that changes you may have made to the configuration files on the command line (such as comments you might have added) remain intact after you configure a module using the web user interface.

UTMFW uses the same design decisions and implementation as the PFRE project. See its README for details.

UI Design

How to install

Download the installation iso or img file for your platform and follow the instructions in the installation guide available in the file. Below are the same instructions.

You can also find the output of a sample installation on the wiki.

Installation Guide

UTMFW installation is very intuitive and easy, just follow the instructions on the screen and answer the questions asked. You are advised to accept the default answers to all the questions. In fact, the installation can be completed by accepting default answers all the way from the first question until the last. The only exceptions are network configuration, password setup, and installation disk selection.

Auto allocator will provide a partition layout recommended for your disk. Suggested partitioning should be suitable for most installations, simply accept it. Do not delete or modify the msdos partition (for arm64 installation).

Make sure you configure two network interfaces. You will be asked to choose internal and external interfaces later on. You can configure the internal wifi interface in Host AP mode.

All of the install sets and software packages are selected by default, simply accept the selections.

While installing using the img file, when the installation script asks the location for the install sets or the packages, you should choose the disk option and that the disk partition is not mounted yet, and then select the device name for the installation disk (usually sd0 or sd1, but type ? to see device info first). The default path for install sets and packages the script offers is the same path as in the img file too, so you just hit Enter at that point.

If the installation script finds an already existing file which needs to be updated, it saves the old file as filename.orig.

Installation logs can be found under the /root directory.

You can access the web administration interface using the IP address of the system's internal interface you have selected during installation. You can log in to the system over ssh from internal network.

Web interface user names are admin and user. Network user is utmfw. All are set to the same password you provide during installation.

References:

  1. INSTALL.amd64 in the installation iso file and INSTALL.arm64 in the installation img file.
  2. Supported hardware for amd64 and supported hardware for arm64.
  3. OpenBSD installation guide.

Installation Tips

A few notes about UTMFW installation:

  • Thanks to a modified auto-partitioner of OpenBSD, the disk can be partitioned with a recommended layout for UTMFW, so most users don't need to use the label editor at all.
  • All install sets including siteXY.tgz are selected by default, so you cannot 'not' install UTMFW by mistake.
  • OpenBSD installation questions are modified according to the needs of UTMFW. For example, X11 related questions are never asked.
  • Make sure you have at least 2GB RAM, ideally 4GB if you enable MFS. And a 16GB HD should be enough.
  • If you install on an SD card, make sure it is fast enough. If you install on a slow disk, but you have enough RAM, you can enable memory-based file system (MFS), which is the default.
  • After installation:
    • When you first try to log in to the WUI, ignore the certificate warning issued by your web browser and proceed to the WUI.
    • Download the ca.crt from the SSLproxy Config page on the WUI, and install it on your web browser or other client application as a trusted CA certificate. You can install the ca.crt in the trust store on Android phones, but Android applications may not use that trust store. So you may need to use the PassSite option of SSLproxy for such applications.
    • Enable the pf rule for FCM ports (see /etc/pf.conf or go to the PFRE Editor page on the WUI), if you want to receive Firebase push notifications sent by UTMFW to your Android phone on the local network and on which you have installed and are running A4PFFW.
  • Make sure the date and time of the system is correct during both installation and normal operation, and select the correct timezone during installation. Otherwise:
    • The "Not Valid Before" date of the CA certificate generated for SSLproxy during installation may be wrong, causing clients to reject the certificates forged by SSLproxy, at least until the start date. To fix the "Not Valid Before" date, you may need to regenerate the CA certificate on the WUI, after fixing the system date and time.
    • The certificates forged by SSLproxy will be rejected by client applications, hence the connections will fail.
    • SSLproxy will not verify server certificates with date and time in the future or in the past, hence the connections will fail.
    • After fixing the date and time of the system during normal operation, the system statistics and monitoring programs may stop updating the RRD files due to significant time difference since last update. So you may need to delete the statistics files and reinit the RRD files using the WUI, and restart either the statistics and monitoring programs or the system.

How to build

The purpose in this section is to build the installation iso or img file using the createiso or createimg script, respectively, at the root of the project source tree. You are expected to be doing these on an OpenBSD 7.4 and have installed git, gettext, and doxygen on it.

Build summary

The create script:

  • Clones the git repo of the project to a tmp folder.
  • Generates gettext translations and doxygen documentation.
  • Prepares the webif and config packages and the site install set.
  • And finally creates the iso file for the amd64 arch or the img file for the arm64 arch.

However, the source tree has links to OpenBSD install sets and packages, which should be broken, hence need to be fixed when you first obtain the sources. Make sure you see those broken links now. So, before you can run the create script, you need to do a couple of things:

  • Install sets:
    • Obtain the sources of OpenBSD.
    • Patch the OpenBSD sources using the patch-* files under openbsd/utmfw.
    • Create the UTMFW secret and public key pair to sign and verify the SHA256 checksums of the install sets, and copy them to their appropriate locations.
    • Build an OpenBSD release, as described in release(8) or faq5.
    • Copy the required install sets to the appropriate locations to fix the broken links in the sources.
  • Packages:
    • Download the required packages available on the OpenBSD mirrors.
    • Create the packages which are not available on the OpenBSD mirrors and/or have been modified for UTMFW: sslproxy, e2guardian, p3scan, smtp-gated, snort, imspector, snortips, and collectd (see ports and ports/distfiles).
    • Copy them to the appropriate locations to fix the broken links in the sources.

Note that you can strip down xbase and xfont install sets to reduce the size of the iso and img files. Copy or link them to the appropriate locations under openbsd/utmfw.

Now you can run the createiso or createimg script, which should produce an iso or img file, respectively, in the same folder as itself.

Build steps

The following are steps you can follow to build UTMFW yourself. Some of these steps can be automated by a script. You can modify these steps to suit your needs.

  • Install OpenBSD amd64:

    • Download installXY.iso from an OpenBSD mirror
    • Create a new VM with 60GB disk, or choose a size based on your needs
    • Start the VM and install OpenBSD
  • Install OpenBSD arm64:

    • Download installXY.img from an OpenBSD mirror
    • Use a 32GB SD card or USB flash memory, or choose a size based on your needs
    • Start the Raspberry Pi 4 or qemu-system-aarch64 and install OpenBSD
  • Configure OpenBSD:

    • Create a local user, after reboot add it to /etc/doas.conf
    • Create a separate partition mounted on /dest, which will be needed to make release(8)
    • Add noperm to /dest in /etc/fstab
    • Create /dest/dest/ and /dest/rel/ folders
    • Make /dest owned by build:wobj and set its perms to 700
       doas chown -R build:wobj /dest
       doas chmod -R 700 /dest
      
  • Fetch the UTMFW sources and update if upgrading:

    • Install git

    • Clone UTMFW to your home folder

    • Bump the version number X.Y in the sources, if upgrading

      • cd/amd64/etc/boot.conf
      • cd/arm64/etc/boot.conf
      • meta/create
      • meta/install.sub
      • src/create_po.sh
      • Doxyfile
      • README.md
      • src/lib/defs.php
      • cd/amd64/X.Y/
      • cd/arm64/X.Y/
      • openbsd/X.Y/
      • .po files under src/View/locale/
    • Bump the version number XY in the sources, if upgrading

      • README.md
      • openbsd/utmfw/expat/amd64/xbaseXY.tgz
      • openbsd/utmfw/expat/arm64/xbaseXY.tgz
      • openbsd/utmfw/fonts/amd64/xfontXY.tgz
      • openbsd/utmfw/fonts/arm64/xfontXY.tgz
    • Update the version number, release date, project changes, and news, if upgrading

      • config/etc/motd
      • meta/root.mail
      • README.md
    • Update copyright year if necessary

  • Generate the signify key pair:

    • signify -G -p utmfw-XY.pub -s utmfw-XY.sec
    • Save utmfw-XY.pub and utmfw-XY.sec to docs/signify
    • Copy utmfw-XY.pub to meta/etc/signify/
    • Copy utmfw-XY.pub to /etc/signify/, the utmfw-XY.pub file is copied into the bsd.rd file while making release(8), to verify install sets during installation
  • Update the packages for the amd64 arch, then do the same for the arm64 arch replacing amd64 with arm64 (or aarch64 for PKG_PATH) below:

    • Install the OpenBSD packages

      • Set the download mirror, use the existing cache if any
         export PKG_PATH=/var/db/pkg_cache/:https://cdn.openbsd.org/pub/OpenBSD/X.Y/packages/amd64/
        
      • Save the depends under PKG_CACHE, which will be used later on to update the packages in the iso and img files
         export PKG_CACHE=/var/db/pkg_utmfw/
        
      • dnsmasq
      • clamav
      • p5-Mail-SpamAssassin
      • snort, to download its dependencies, otherwise we have our own patched version
      • openvpn
      • dante
      • symon
      • symux
      • pmacct
      • pftop
      • php, php-cgi, php-curl, php-pcntl, php-sqlite3
      • rsync
    • Build and create the UTMFW packages

      • Extract ports.tar.gz under /usr/ports/
      • Copy the port folders of the UTMFW packages under ports to /usr/ports/{net,security,www,devel,sysutils}
      • Obtain the snort sources, apply the snort diff under ports/distfiles, compress as tarball with the same name as the original tarball of the sources
      • Copy the source tarballs of the UTMFW packages to /usr/ports/distfiles
      • Append the daemon users of UTMFW packages to /usr/ports/infrastructure/db/user.list, but note that bsd.port.mk does not like blank lines at the bottom of user.list
         900 _p3scan             _p3scan         net/p3scan
         901 _smtp-gated         _smtp-gated     net/smtp-gated
         903 _imspector          _imspector      net/imspector
         904 _sslproxy           _sslproxy       security/sslproxy
        
      • Install the pkg depends of each UTMFW package before making them, so that the ports system does not try to build and install them itself
      • Make the UTMFW packages
        • libevent, if not using the OpenBSD package
        • sslproxy
        • p3scan
        • smtp-gated: use the source tarball under ports/distfiles
        • imspector: use the source tarball under ports/distfiles
        • e2guardian
        • snortips
        • snort: use the source tarball generated above
        • collectd
      • Sign all of the UTMFW packages using signify, for example:
         signify -Sz -s utmfw-XY.sec -m /usr/ports/packages/amd64/all/sslproxy-0.9.5.tgz -x ~/sslproxy-0.9.5.tgz
        
    • Update the links under cd/amd64/X.Y/packages/ with the UTMFW packages made above

    • Install the UTMFW packages using their signed packages, to download their dependencies

      • Save the depends under PKG_CACHE
         export PKG_CACHE=/var/db/pkg_utmfw/
        
      • libevent, if not using the OpenBSD package
      • sslproxy
      • p3scan
      • smtp-gated
      • e2guardian
      • snortips
      • imspector
      • snort
      • collectd
    • Update the links under cd/amd64/X.Y/packages/ with the OpenBSD packages saved under PKG_CACHE

    • Keep the links for

      • blacklists.tar.gz
      • clamavdb.tar.gz
      • snortrules.tar.gz
      • imspector
      • p3scan
      • smtp-gated
      • snortips
      • sslproxy
      • snort
      • e2guardian
      • libevent, if not using the OpenBSD package
      • collectd
  • Update meta/install.sub:

    • Update the versions of the packages listed in THESETS
  • Make release(8) for the amd64 arch, then do the same for the arm64 arch replacing amd64 with arm64 below:

    • Extract src.tar.gz and and sys.tar.gz under /usr/src/
    • Apply the patches under openbsd/utmfw
    • Update the sources with the stable branch changes if any
    • Follow the instructions in release(8), this step takes about 6 hours on a relatively fast amd64 computer and longer than 60 hours on a Raspberry Pi 4
      • Build the kernel and reboot
      • Build the base system
      • Make the release, use the dest and rel folders created above:
         export DESTDIR=/dest/dest/ RELEASEDIR=/dest/rel/
        
    • Copy the install sets under /dest/rel/ to ~/OpenBSD/X.Y/amd64/
  • Update the install sets:

    • Update the links for install sets under cd/amd64/X.Y/amd64 using the install sets under ~/OpenBSD/X.Y/amd64/ made above
    • Update the links for install sets under cd/arm64/X.Y/arm64 using the install sets under ~/OpenBSD/X.Y/arm64/ made above
    • Remove the old links
    • Copy the xbaseXY.tgz install set from installXY.iso to docs/expat/amd64/xbaseXY.tgz
    • Copy the xbaseXY.tgz install set from installXY.img to docs/expat/arm64/xbaseXY.tgz
    • Copy the xfontXY.tgz install set from installXY.iso to docs/fonts/amd64/xfontXY.tgz
    • Copy the xfontXY.tgz install set from installXY.img to docs/fonts/arm64/xfontXY.tgz
    • Copy the files under the BOOT partition of installXY.img for the amd64 arch to ~/OpenBSD/X.Y/amd64/BOOT/
    • Copy the files under the BOOT partition of installXY.img for the arm64 arch to ~/OpenBSD/X.Y/arm64/BOOT/
    • Download and copy the Broadcom wifi drivers for Raspberry Pi 4 to ~/OpenBSD/X.Y/arm64/firmware/
  • Update the configuration files under config with the ones in the new versions of packages:

    • Also update Doxyfile if the doxygen version has changed
  • Update PFRE and SPRE:

    • Update PFRE and SPRE to their current versions, support changes in pf and sslproxy if any
    • Create and install the man2web package
    • Produce pf.conf.html from pf.conf(5), sslproxy.html from sslproxy(1), and sslproxy.conf.html from sslproxy.conf(5) using man2web
    • Merge the PFRE and SPRE changes from the previous html files, most importantly the anchors
  • Update the PHP version numbers in the sources, both php and php-fpm, if upgrading PHP:

    • config/etc/php-X.Y/
    • config/etc/php-X.Y.ini
    • config/utmfw.files
    • config/utmfw.mtree
    • meta/install.sub
    • config/etc/rc.local
    • config/etc/syslog.conf
    • src/Model/system.php
    • src/View/system/conf.startup.php
  • Update phpseclib to its new version if any:

    • Merge the UTMFW changes from the previous version
  • Update d3js to its new version if any:

    • Fix any issues caused by any API changes
  • Update the registered snortrules.tar.gz:

    • Make sure the directory structure is the same as the one in the old snortrules.tar.gz
    • Add the black and white list files
    • Compress
  • Update blacklists.tar.gz:

    • Download the black list
    • Run the cats.php script to prepend category descriptions to each file
    • Compress
  • Update clamavdb.tar.gz:

    • Download the virus db files
    • Compress
  • Strip xbase and xfont:

    • Make sure the contents are the same as in the files in the old iso and img files, except for the version numbers
    • SECURITY: Be very careful with the permissions of the directories and files in these install sets, they should be the same as the original files
  • Run the create script:

    • Install gettext-tools and doxygen for translations and documentation
    • Run ./createiso or ./createimg under ~/utmfw/

utmfw's People

Contributors

sonertari avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

utmfw's Issues

No success

I tried to install on KVM from iso. There seems to be an issue with user accounts. I'm not able to login to console with any user and password combination, errors with pf scrip and configuration:

image

image

image

image

BEV_EVENT_ERROR

Hi there,

I keep getting the following errors when I tried to access inbox from google:
SNI peek: [inbox.google.com] [complete], fd=47
Connecting to [216.58.212.133]:443
pxy_connected_enable: SSL connected to [-]:- TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
CLIENT_RANDOM B4C70D68E61E74699267DBCAE725936250B55FB110259C37A46F94E4DB5FEB42 761DEA9FC5DEEA1418BEA4BD045F64DDE82B79DB711BCCFF5F8935186DB326DC1D701BD09F41DB20AEABFD6E67A0334C
===> Original server certificate:
Subject DN: /C=US/ST=California/L=Mountain View/O=Google LLC/CN=mail.google.com
Common Names: mail.google.com/mail.google.com/inbox.google.com
Fingerprint: 47:C9:7F:F3:E6:2C:9B:CE:0E:954B:95:23:0B:BC:FA:71:EE:A4:68
Certificate cache: MISS
===> Forged server certificate:
Subject DN: /C=US/ST=California/L=Mountain View/O=Google LLC/CN=mail.google.com
Common Names: mail.google.com/mail.google.com/inbox.google.com
Fingerprint: E4:80:3A:D7:52:98:FF:F6:48:6F08:24:B6:73:B5:77:BB:EF:E8:21
Received privsep req type 05 sz 5 on srvsock 8
Certificate cache: KEEP (SNI match or target mode)
pxy_ssl_shutdown_cb: fd=48, SSL_free() in state 00000001 = 0001 = SSLOK (SSL negotiation finished successfully)
BEV_EVENT_ERROR
Error from bufferevent: 0:- 336151574:1046:sslv3 alert certificate unknown:20:SSL routines:148:ssl3_read_bytes

pxy_bev_eventcb: SSL disconnected to [216.58.212.133]:443, fd=47
pxy_bev_eventcb: SSL disconnected from [10.8.0.2]:59632, fd=47

Inbox will not refresh the content and gave No Connection error. I also get similar error in whatsapp. Has it got something to do with my self-signed certificate? I already imported the self-signed certificate onto my Android device so that is not the cause. Not all forged certificates generated an error though.

I have sslproxy version v0.5.6-7-g859da0a so it's the latest. I noticed that web browsing on Android phone is fine with the forged certificates but when in android apps these error became more. I think I miss something here but what? Hopefully you can help me with this.

Thank you!

Eric

Packet Filter changes do not work

Hello,
I like this project and find it really promising (and also underrated), but at the moment I am facing an inconvenience:

I tried to add rules to pass my own host to connect to anything via the WUI Packet Filter -> Editor, but this doesn't seem to work at all.
If I e.g add a "pass from 10.26.0.10" rule at the end it doesn't actually let this IP pass. I know this could be related to some quick rules above, but the same goes for something like: "block to 1.1.1.1" which I could easily confirm using "ping 1.1.1.1" -> connection still possible. The changes are also not written in the /etc/pf.conf file. If I edit the /etc/pf.conf file manually with these entries from above it all works fine. So it seems that any change via the WUI Rule editor does not seem to affect pf...Or did I oversee something? Afaik the "Load and Save" options are just for saving to another conf. file and not necessary to apply new rules right?

Any help would be appreciated
Greetings

SSLProxy with Squid

Hello, I'm having a question, is it possible to use SSLProxy with Squid on linux?

because I configured sslproxy, but did not browse because the source and destination was 127.0.0.1.

Do you have any tips?

Thank you.

www not working.

Hello. I was installed on virtualbox two machines, utmfw as router-utm and Windows xp as guest OS to test connection to the internet via utmfw. Utmfw ext_if is connected to the internet via bridged interface in my laptop on which I installed the VM. The problem is that i cant connect anywhere to www (80 or 443) even to utmfw (to the int_if from guest XP) but for example i can connect from XP to ftp, SSH Servers. To test built-in server www on utmfw i was instaled lynx from openbsd and IT works locally. Furthermore I can ping from guest any machine in the internet. Nslookup on guest resolv names properly. I installed several times utmfw but no luck. Please help.

Questions regarding proxy/logging

Hello, I really like your project, especially the TLS decryption feature, but I have questions:

  1. As I understand it, it is possible to inspect decrypted TLS traffic with suricata/snort with all the rules etc. right?

1.2) is there a feature for remote logging (especially the eve.json)?

  1. Is it possible to just use SSLproxy to decrypt the traffic and mirroring the decrypted traffic to a Suricata server? In my case I just want to have an internet proxy (MyDevices <-> SSL Proxy <-> Internet) to monitor for malicious traffic and not block anything or something like that.

SSLProxy changing default certs doesn't work: "error loading CA cert from '/etc/sslproxy/ca.crt': Invalid argument Error"

Hello,
as the default ca.crt doesn't seem to work when installing as trusted root in Ubuntu, I tried changing the certs in SSLProxy to the ones I know that worked with SSLsplit (and therefore I guess with SSLProxy too).
But changing the config to include them or just replacing them (tried both) results in the following error:

/usr/local/bin/sslproxy: error loading CA cert from '/etc/sslproxy/ca.crt':
Invalid argument
Error in conf: 'CACert' on line 12
Error in conf file '/var/log/utmfw/tmp/sslproxy.conf.Om4SYF'

Config:

[...]
# Use CA cert (and key) to sign forged certs.
# Equivalent to -c command line option.
CACert /etc/sslproxy/ca.crt

# Use CA key (and cert) to sign forged certs.
# Equivalent to -k command line option.
CAKey /etc/sslproxy/ca.key
[...]

Is there maybe something wrong with my certificates?

OpenVPN no internet connection

Hello, its me again :)

I now tried to use OpenVPN to connect to UTMFW using the provided config files but it does not allow me to connect to anything besides the local network (UTMFW WUI using the local IP works but no internet).

What I did:

  1. Fresh setup of UTMFW with 2 interfaces (internal/external) with every packet installed
  2. Connected to the WUI using ssh ... -L port forwarding (I use a cloud server to host UTMFW)
  3. Downloaded the OpenVPN client.conf and relevant certs via SFTP
  4. Changed the remote port on my client to the actual public IP of UTMFW, the cert paths and enabled the setting to route any ipv4 traffic through Tunnelblick (OpenVPN client for MacOS)
  5. Un-commented the "VPN" section in the pf.conf and did pfctl -f pf.conf
  6. Connected using the client.conf. The connection is green/established. (It just warns that the DNS is not routed through the VPN)
  7. No connection to anything besides 10.0.0.3 (the internal IP)
  • I tried just a ping 1.1.1.1 , curl https://1.1.1.1 or neverssl.com, nothing works.
  • In the WUI I can see many more "States" if I connect but nothing on "Data Transfer" or "Internal interfaces". No logs on any of the packet's Log-sections (IDS/IPS/Spam etc).
  • I can see no pf blocks in the log. I see pass from 10.0.0.8 to public-IPs that seem to be the one I requested but I see nothing in the other direction.
  • I tried enabling the #VPN passthrough rules that were commented in the pf.conf but it also didn't work.

Maybe I am missing some routing? Or did I do anything else wrong?
Any help would be appreciated. :)

SSH and web gui not accessible after installation

I installed the UTMFW with 2 network interfaces in different subnets. But SSH nor web gui on port 80 or 443 is not accessible. From UTMFW server console I can ping local network and internet. How do I allow access to SSH and web so I can configure it?
Thanks

Install on top of existing OpenBSD?

First, thank you so much for creating and maintaining UTMFW - I'm looking to create an OpenBSD-based transparent firewall with a good GUI and this looks like the perfect solution.

I was wondering if you would be able to provide a reduced set of installation instructions (or, ideally, an installer script :)) for those of us who just want to install UTMFW on top of an existing OpenBSD system, rather than having to fully format and do a clean install of the ISO. It looks like the build instructions were intended for creating full ISOs. Thank you!

Configuration of Webfilter produces invalid config file

I was testing the firewall, and configuring the Webfilter produced an invalid config file.

These lines where in the file /etc/e2guardian/lists/authplugins/ipgroups.

"utmfw = filter1
= filter2
bjt = filter5
all = filter1
bj = filter2"

I didnt edit the file manually, so i think this was produced by the interface.

Downloaded ISO no boot

I was trying to boot the ISO, no luck. Do I have to be in 'legacy' mode? UEFI? I did 'dual' but even my iso file seems corrupted (I got the one from the google drive). To build do I need an openbsd vm?

thomas

Does this support Wireguard and/or multi-WAN/policy-routing

Does this support Wireguard for VPN?
Does this support MultiWAN (multiple wireguard connections), meaning having multiple public IPs, for which incoming traffic are accepted, then sent to a port on a internal server.
Here its also important that the resulting response traffic, is emanicated from the correct WAN interface, so WAN1:80 might be assigned to 192.168.1.10:80, and WAN2:80 might be assigned to 192.168.1.10:81. Response traffic with a source of 192.168.1.10:81 must be sent out from WAN2:80, even tough default gateway is WAN1.

How to set IP and Port of SSLProxy and UTMFW?

My SSLproxy is listening on IP addr:x.x.x.0 and UTMFW is on x.x.x.x.1 , and I am using sudo ./sslproxy -k ca.key -c ca.crt https x.x.x.0 8443 up:8080 to start proxy

i always get the error
BEV_EVENT_ERROR
Error from bufferevent: 111:Connection refused 0:0:-:0:-:0:-
BEV_EVENT_ERROR
Error from bufferevent: 111:Connection refused 0:0:-:0:-:0:-
Please tell me whoch configuration to use to fully listen on UTMFW

or If SSLProxy and UTMFW is meant to be on same system, how to configure the UTM IPv4 address, as it donot accept the same IP

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.