Vuurmuur on Inliniac

Vuurmuur 0.8 has been released

Sun, 24 Feb 2019 19:22:51 +0000

I’ve just pushed the 0.8 release. See my announcement here. Get it from github or the ftp server.

Largest changes:

ipv6 support using ip6tables
logging uses nflog - initial work by Fred Leeflang
connection logging and viewer
add rpfilter and improved helper support
a ‘dialog’ based setup wizard
single code base / package
massive code cleanup

I plan to continue to work on Vuurmuur, but it will likely remain at a low pace. Suricata development is simply taking too much of my time.

Vuurmuur Development Update

Thu, 12 Jan 2017 15:40:51 +0000

Over the holidays I’ve spent some time refreshing the Vuurmuur code. One major thing that is now done is that the 3 different ‘projects’ (libvuurmuur, vuurmuur and vuurmuur-conf) are now merged into a single ‘project’. This means that a single ‘./configure && make && make install’ now installs everything.

When I originally started Vuurmuur I had much bigger dreams for it than eventually materialized. Also, I didn’t understand autotools very well, so it was easier to keep the project split up. At some point there were even 5 projects!

Vuurmuur 0.8rc1 released

Fri, 25 Jan 2013 16:45:34 +0000

I just released a new Vuurmuur version: 0.8rc1. The first release candidate for the 0.8 series. This release improves IPv6 support a lot. The wizard is now also fully functional. Try “vuurmuur_conf –wizard”.

Improved IPv6 support: #115
Improved Debian packages, switching to nflog as default for logging.
Fix connection viewer not showing accounting on newer systems. #141
Amd64 packages for Debian and Ubuntu are now available through the apt server. #83
Switch from “state” match to “conntrack” match for connection tracking.
Services now support possible protocols. #63
Add support for rpfilter match. #137

Get this release from the ftp server: ftp://ftp.vuurmuur.org/releases/0.8rc1/Vuurmuur-0.8rc1.tar.gz

Setting up an IPS with Fedora 17, Suricata and Vuurmuur

Sat, 13 Oct 2012 11:07:19 +0000

I recently found out that Fedora includes Vuurmuur in it’s repositories. Since Suricata is also included, I figured I would do a quick write up on how to setup a Fedora IPS. While writing it turned more into a real “howto”, so I decided to submit it to Howtoforge.

It can be found here one HowtoForge.

Vuurmuur on Fedora is at the 0.7 version, which is still the current stable. It’s rather old though, and it reminds me again I need to make sure the 0.8 branch gets to a stable release soon. The Suricata included in Fedora 17 is 1.2.1, with 1.3.2 expected to land any day now.

Vuurmuur 0.8beta4 released

Fri, 31 Aug 2012 13:20:08 +0000

I just released a new Vuurmuur version. The last release was in 2009, so it has been a while.

This release adds basic IPv6 support. The state of the IPv6 support is incomplete, but quite functional.

Supported features are:

- rules generation - log viewing - setting IPv6 addresses in hosts, networks and interfaces

Unsupported features are:

- connection viewer - NAT - blocklist - IPv6 address to Vuurmuur name conversion in the log

Vuurmuur IPv6

Thu, 31 Mar 2011 21:14:43 +0000

The last few years Vuurmuur development has been very slow, not to say pretty much stagnant. This had a couple of reasons. The first is that my attention was drawn to other projects, mostly Suricata these days. The second reason is that Vuurmuur pretty much does all I want. The third reason is that despite some minor contributions, no other developer has stepped up to take over.

Meanwhile, people continued using Vuurmuur, it made it’s way into Debian, got removed from it again, made it’s way into Ubuntu. Lately, every few weeks someone would ask me if Vuurmuur was still being developed. My answer always was “yes, but very slowly”.

Ohloh

Wed, 30 Jun 2010 08:47:54 +0000

Ohloh is a pretty cool site for keeping track of projects and programmers. It’s an easy way to keep track of the development in a project and gives a nice indication of how actively it’s being developed. It has some social networkish features too, such as individual developers giving each other “kudos”.

The code analysis is pretty nice: it gives statistics on code base size, growth, comment ratio, languages used, etc. Per developer it tracks quite a few stats as well.

Vuurmuur rpms

Tue, 03 Nov 2009 15:44:49 +0000

Daniele Sluijters has spend quite an effort at creating Vuurmuur rpms for Fedora 11 and CentOS 5, both 32 bit and 64 bit. The packages are available at the Vuurmuur ftp-server here: ftp://ftp.vuurmuur.org/releases/0.7/contrib/ Currently we have packages for 0.7, hopefully 0.8beta2 will follow later. Thanks Daniele!

Vuurmuur development

Sun, 01 Nov 2009 17:46:07 +0000

Ever since I’ve been working on the OISF engine I’ve been unable to spend much time on my Vuurmuur project. Luckily it seems development is picking up some speed again because there are some (new) people working on some improvements. Two development branches have been started in svn. The first is “nflog” which is meant for the development of support for libnetfilter_log to replace the current syslog based vuurmuur_log.

The second is called “ipv6” and is meant for adding IPv6 support to Vuurmuur as a frontend to ip6tables. This is going to be quite an effort, but I’m excited that it got started!

Vuurmuur 0.7 is out

Sat, 04 Apr 2009 08:04:25 +0000

A new version of Vuurmuur is out: 0.7. This release mainly fixes bugs and build issues. Translations are generated and installed again, lots of traffic shaping fixes were made.

Support for pmtu MSS clamping was added, as was support for NAT source port randomization.

See http://www.vuurmuur.org/trac/wiki/Changelog for all changes.

Debs for Debian and Ubuntu are available, see http://www.vuurmuur.org/trac/wiki/InstallationDebian

The source installer and Autopackage are on the ftp server: ftp://ftp.vuurmuur.org/releases/0.7/

Looking forward, I’m planning on improving the services handling in 0.8. Especially supporting all protocols from /etc/protocols, instead of just a small list of hardcodes ones. Check http://www.vuurmuur.org/trac/milestone/0.8 to monitor the plans and progress on the 0.8 release. Suggestions & help are welcome!

Vuurmuur 0.7 getting close

Tue, 31 Mar 2009 15:42:35 +0000

The next stable version of Vuurmuur, 0.7, is getting close. Last week I released release candidate 3. If you’re a Vuurmuur user, please try 0.7rc3 and report back to me on how it works! For a list of changes, please see the closed tickets. Thanks!

Checking out SourceForge's Marketplace

Tue, 06 Jan 2009 14:26:31 +0000

I’ve registered myself as a seller of services on SourceForge’s Open Source Marketplace. I’ve done so offering software development services for the Snort, Snort_inline and Vuurmuur projects. I was wondering if anyone has any experience (good or bad) with the Marketplace system, either as a buyer or seller of services. Let me know!

Vuurmuur makes it into Debian (Sid)

Tue, 09 Dec 2008 14:08:57 +0000

Thanks to the hard work of Debian’s Daniel Baumann Vuurmuur has been included in Debian unstable/Sid. This hopefully means that Vuurmuur will be getting a lot more users. Eventually it should get into testing and even stable, although the next release “lenny” will come too soon for that. The “lenny” feature freeze was already in place before Vuurmuur got included in Sid. Anyway, for me this is big news!

See here for the packages: http://packages.debian.org/sid/libvuurmuur0 http://packages.debian.org/sid/vuurmuur http://packages.debian.org/sid/vuurmuur-conf

New Vuurmuur version numbering scheme

Mon, 22 Sep 2008 15:15:12 +0000

Today I’ve changed the versioning scheme for Vuurmuur. I was unhappy with the scheme for quite some time already. Versions like 0.5.73 are not making much sense in my view. Originally, my intention was to have a scheme like the linux kernel at the time had. Even versions for stable releases, odd versions for unstable/development releases. The idea was that the 0.5.x development series would some day become a 0.6 stable, after which the 0.7 development series would begin. Of course, that never happened. Instead, I added the alpha releases that became the real development releases and the 0.5.x effectively became the stable releases. So we ended up with releases like 0.5.74 alpha 6. In my opinion quite confusing.

Support for source port randomization in Vuurmuur

Fri, 25 Jul 2008 21:50:59 +0000

One of the workarounds for the current DNS problems is that servers introduce source port randomization. So it’s time for you to patch your DNS server so it uses random source ports. If for some reason you are unable to do that, iptables can help. Michael Rash has a good write up of how that works here.

In Vuurmuur there is now a per rule option, that can be enabled for the SNAT, MASQ, PORTFW, DNAT and BOUNCE actions, called ‘random’. This passes the ‘–random’ option to the iptables rules Vuurmuur creates. Note that you need a recent distro for this. Debian Etch is too old, Ubuntu Hardy is fine. The new functionality is just released in Vuurmuur 0.5.74 alpha 6. Check it out!

Multiple Snort_inline processes with Vuurmuur

Mon, 12 Nov 2007 21:29:58 +0000

One of the cool things of the Snort_inline project is the support for NFQUEUE. NFQUEUE is the new queuing mechanism to push packets from the kernel to userspace so a userspace program can issue a verdict on it. What makes NFQUEUE cooler than it’s predecessor ip_queue is that it supports multiple queue’s. This means that there can be more than one Snort_inline process inspecting and judging traffic. The challenge is to make sure that each Snort_inline instance sees all traffic belonging to a certain connection so Snort_inline can do stateful inspection on it. Luckily, Vuurmuur makes it very easy.

GUI part of Vuurmuur traffic shaping done

Thu, 01 Nov 2007 23:03:18 +0000

The GUI part of Vuurmuur’s traffic shaping is done. That means it’s in a usable state. It’s probably rough around the edges, but anyone is invited to give it a try. Below two screens.

Vuurmuur shape rule settings.

The per rule shaping settings.

Vuurmuur shape interface settings.

The per interface settings for the shaping.

Vuurmuur gets traffic shaping

Tue, 02 Oct 2007 19:11:12 +0000

The last weeks I’ve been working on adding traffic shaping support to Vuurmuur. The work is largely done, only the GUI part is still missing. But using vuurmuur_script it is already usable in the current SVN trunk. I’ve written before about my shaping ideas here.

The support currently focuses on three different options:

1. Limiting bandwidth usage by rules.

Per rule a limit can be set for the maximum amount of bandwidth all traffic from this rule uses. Both directions of a connection have different limits. The in_max and out_max options can be added to existing rules for this. The syntax of the in_max and out_max is simple: out_max=15kbps means that traffic in the source to destination direction of a rule can at max use 15 kb/s.

Interview about Vuurmuur on security.nl

Tue, 02 Oct 2007 11:10:44 +0000

The Dutch security site security.nl has interviewed me about the Vuurmuur project. The (Dutch language) article can be found here.

Thanks to Joran Polak of security.nl for giving me the opportunity to tell something about this project!

Vuurmuur developments

Mon, 17 Sep 2007 15:34:49 +0000

Last weeks I’ve spend many hours on my Vuurmuur Firewall project. First I’ve been improving the code to prepare for a new release. I’ve added NFQUEUE support to Vuurmuur, so I could use it with nfnetlink enabled Snort_inline. Also the connection killing has been improved. The rules limit options were extended, to allow more flexibility.

Second, with the great help of Adi Kriegisch, I’ve been working on setting up a new build server for Debian and Ubuntu packages. Credits mostly go to Adi, who did most of the work and hosts the server. So many thanks to Adi! The new build server supports all version of Debian from Sarge up and of Ubuntu from Dapper and up.

Installing and creating Autopackages in a chroot

Thu, 31 May 2007 20:50:54 +0000

This may be a little off-topic for this weblog, but since I spend quite some time researching this, I’ve decided to write about it anyway. When preparing a new release for Vuurmuur, I wanted to create an Autopackage as well. For those that are unaware of it Autopackage is a distribution independent installer for Linux binaries. Because creating packages for every distro including flavor and versions is way out of my reach, a general installer can save the day.

Vuurmuur NFQUEUE support

Tue, 22 May 2007 13:21:23 +0000

Vuurmuur supported the QUEUE target for a while already, even though it needed a little bit of a hack to handle the state. This is because the iptables ruleset Vuurmuur creates is quite simple: after a few general protection rules it starts by accepting traffic with the state established. Since there is no way to say ‘queue established traffic that was queued before’ in iptables I decided to use traffic marking to distinguish between traffic to be queued or accepted. But there was a problem with this approach. I didn’t want to cripple the marking of traffic for other purposes, such as traffic shaping and routing, so I decided to use mark-ranges to either queue or accept:

Vuurmuur SVN now open

Mon, 14 May 2007 16:57:09 +0000

For version control for Vuurmuur development I have been using Bazaar and Bazaar-NG. I’ve never really gotten used to Bazaar-NG. I admit that this is mostly due to lack of trying. For the Snort_inline project I have gotten used to Subversion, for which I even bought a book (Practical Subversion by Garrett Rooney, great book!). So recently I decided to move Vuurmuur also to SVN, for these three reasons:

this way I need to work with only one tool
people in the OSS community are more used to SVN so it’s easier for users and people interested in contributing
Bazaar-NG doesn’t support SVN-style tags, except (I think) for the latest version which is not in my distro

So the SVN repository is now open. It is hosted at SourceForge at:

Experimenting with IPv6

Tue, 13 Mar 2007 19:04:51 +0000

My ISP is one of the few here in the Netherlands that provides a IPv6 tunnel broker. I have played with it some during the last year or so, but now decided to get a little more serious with it. So I’ve decided to enable it for my blog. When opening up my site to IPv6 one thing that is important is security. I will describe the status of IPv6 support of my current setup:

Vuurmuur developments

Fri, 12 Jan 2007 21:47:01 +0000

This is my first blog post in 2007, so let me start by wishing everyone a good and healthy new year. In the new year I finally released a new version of Vuurmuur. It was the longest period between two releases, the last one was in April 06. The last year has been pretty hectic, with my graduation, looking for work, and now working… Also I’ve been stepping up work on Snort_inline and Modsec2sguil, which all took away coding time from Vuurmuur.

Vuurmuur: extending the connection options to the logviewer

Sun, 01 Oct 2006 11:41:40 +0000

In Vuurmuur 0.5.72 alpha 1, I introduced a connection management interface to the connection viewer, allowing the administrator to kill connections and add ipaddresses to the blocklist. Next, I’m working on doing about the same for the logviewer. The idea is to have a menu with options for each individual logline. I can think of a large number of interesting options, but I think the best would be an option like ‘create a rule based on this logline’. This would then open a prefilled rule window based on the values in the log. This option would make it very easy to get going with a new Vuurmuur setup.

Vuurmuur: connection killing getting shape

Sat, 02 Sep 2006 13:26:28 +0000

The main new feature of the 0.5.72 release of Vuurmuur will be the ability to kill existing connections from vuurmuur_conf. It will use the conntrack tool for this. Below is a screenshot of how it works.

Currently it works only for TCP connections and UDP pseudo connections. From the connection manager IPAdresses can also be added to the blocklist. All existing connections for this IP will be killed on that action. I have yet to extend this to hosts blocked manually.

Vuurmuur: first baby steps in traffic shaping

Wed, 16 Aug 2006 15:51:01 +0000

Quite a while ago a placed a poll on the Vuurmuur Wiki, asking for the most important feature Vuurmuur needs. It turns out most people want traffic shaping. Traffic shaping has been on my todo list for a long time, but i never really got into using it, let alone understand it enough to integrate it into a GUI. So the last couple of days i had some spare time, and i have been checking it out. So far i am distinguishing the following types of traffic shaping.

Vuurmuur: a new audit: passed

Thu, 10 Aug 2006 07:31:48 +0000

Last week a user of Vuurmuur let me know he had another security audit at his work, and Vuurmuur passed without any remarks whatsoever. The auditors even said that this was quite unusual.

The user is working in a Dutch company involved in stocktrading, and are forced to have the same level of security as their parent company, which is a bank. After the last time they had an audit, i added the auditlog feature to Vuurmuur, and it seems that has pleased them because unlike last time, they didn’t even complain about Vuurmuur’s beta status ;-)