Inliniac » Vuurmuur

Vuurmuur IPv6

Victor Julien — Thu, 31 Mar 2011 21:14:43 +0000

The last few years Vuurmuur development has been very slow, not to say pretty much stagnant. This had a couple of reasons. The first is that my attention was drawn to other projects, mostly Suricata these days. The second reason is that Vuurmuur pretty much does all I want. The third reason is that despite some minor contributions, no other developer has stepped up to take over.

Meanwhile, people continued using Vuurmuur, it made it’s way into Debian, got removed from it again, made it’s way into Ubuntu. Lately, every few weeks someone would ask me if Vuurmuur was still being developed. My answer always was “yes, but very slowly”.

I plan to change that. The reason? IPv6. I’ve been using IPv6 on and off over the years, usually through the experimental tunnel service my ISP offered. But a while back my ISP started offering native IPv6 connectivity, which I’m using on a daily basis now. In the feature set Vuurmuur has, IPv6 is the only glaring omission. So, it’s time to address that.

Over the next months my idea is to slowly start adding IPv6 support to Vuurmuur. As I’m already using a simple script the idea is to start with logging support. Then move up from there.

Supporting all current features on IPv6 is going to require a lot of effort. In some cases I’m not even sure we can. But getting at least a basic IPv6 ruleset going should be fairly straightforward. If you’re interested in helping out, please let me know. Any help is greatly appreciated!

Ohloh

Victor Julien — Wed, 30 Jun 2010 08:47:54 +0000

Ohloh is a pretty cool site for keeping track of projects and programmers. It’s an easy way to keep track of the development in a project and gives a nice indication of how actively it’s being developed. It has some social networkish features too, such as individual developers giving each other “kudos”.

The code analysis is pretty nice: it gives statistics on code base size, growth, comment ratio, languages used, etc. Per developer it tracks quite a few stats as well.

It also does a estimate of the cost of a project. For the Suricata project it currently estimates cost of 2.1 million USD. Actual cost are significantly less than that, less than half of that. So either we are severely underpaid or the calculation is off quite a bit

The per developer code statistics show that I’ve “touched” 131k lines of code out of 148k which confirms what I already knew: I need some vacation…

Anyway, check it out. Vuurmuur is on there, as are Snort and ModSecurity.

Oh by the way, Suricata 1.0 coming out tomorrow!

Vuurmuur rpms

Victor Julien — Tue, 03 Nov 2009 15:44:49 +0000

Daniele Sluijters has spend quite an effort at creating Vuurmuur rpms for Fedora 11 and CentOS 5, both 32 bit and 64 bit. The packages are available at the Vuurmuur ftp-server here: ftp://ftp.vuurmuur.org/releases/0.7/contrib/ Currently we have packages for 0.7, hopefully 0.8beta2 will follow later. Thanks Daniele!

Vuurmuur development

Victor Julien — Sun, 01 Nov 2009 17:46:07 +0000

Ever since I’ve been working on the OISF engine I’ve been unable to spend much time on my Vuurmuur project. Luckily it seems development is picking up some speed again because there are some (new) people working on some improvements. Two development branches have been started in svn. The first is “nflog” which is meant for the development of support for libnetfilter_log to replace the current syslog based vuurmuur_log.

The second is called “ipv6″ and is meant for adding IPv6 support to Vuurmuur as a frontend to ip6tables. This is going to be quite an effort, but I’m excited that it got started!

Anyone interested in joining the development effort is welcome to do so. Join us at #vuurmuur on freenode.

On a side note, last week I released Vuurmuur 0.8 beta 2, exactly 6 months after beta 1. I’ll try to do the next release a little sooner!

Vuurmuur 0.7 is out

Victor Julien — Sat, 04 Apr 2009 08:04:25 +0000

A new version of Vuurmuur is out: 0.7. This release mainly fixes bugs and build issues. Translations are generated and installed again, lots of traffic shaping fixes were made.

Support for pmtu MSS clamping was added, as was support for NAT source port randomization.

See http://www.vuurmuur.org/trac/wiki/Changelog for all changes.

Debs for Debian and Ubuntu are available, see
http://www.vuurmuur.org/trac/wiki/InstallationDebian

The source installer and Autopackage are on the ftp server:
ftp://ftp.vuurmuur.org/releases/0.7/

Looking forward, I’m planning on improving the services handling in 0.8. Especially supporting all protocols from /etc/protocols, instead of just a small list of hardcodes ones. Check http://www.vuurmuur.org/trac/milestone/0.8 to monitor the plans and progress on the 0.8 release. Suggestions & help are welcome!

Update November 3rd: RPMS are available as well: ftp://ftp.vuurmuur.org/releases/0.7/contrib/

Vuurmuur 0.7 getting close

Victor Julien — Tue, 31 Mar 2009 15:42:35 +0000

The next stable version of Vuurmuur, 0.7, is getting close. Last week I released release candidate 3. If you’re a Vuurmuur user, please try 0.7rc3 and report back to me on how it works! For a list of changes, please see the closed tickets. Thanks!

Checking out SourceForge’s Marketplace

Victor Julien — Tue, 06 Jan 2009 14:26:31 +0000

I’ve registered myself as a seller of services on SourceForge’s Open Source Marketplace. I’ve done so offering software development services for the Snort, Snort_inline and Vuurmuur projects. I was wondering if anyone has any experience (good or bad) with the Marketplace system, either as a buyer or seller of services. Let me know!

Vuurmuur makes it into Debian (Sid)

Victor Julien — Tue, 09 Dec 2008 14:08:57 +0000

Thanks to the hard work of Debian’s Daniel Baumann Vuurmuur has been included in Debian unstable/Sid. This hopefully means that Vuurmuur will be getting a lot more users. Eventually it should get into testing and even stable, although the next release “lenny” will come too soon for that. The “lenny” feature freeze was already in place before Vuurmuur got included in Sid. Anyway, for me this is big news!

See here for the packages:
http://packages.debian.org/sid/libvuurmuur0
http://packages.debian.org/sid/vuurmuur
http://packages.debian.org/sid/vuurmuur-conf

Big thanks to Daniel Bauman!

New Vuurmuur version numbering scheme

Victor Julien — Mon, 22 Sep 2008 15:15:12 +0000

Today I’ve changed the versioning scheme for Vuurmuur. I was unhappy with the scheme for quite some time already. Versions like 0.5.73 are not making much sense in my view. Originally, my intention was to have a scheme like the linux kernel at the time had. Even versions for stable releases, odd versions for unstable/development releases. The idea was that the 0.5.x development series would some day become a 0.6 stable, after which the 0.7 development series would begin. Of course, that never happened. Instead, I added the alpha releases that became the real development releases and the 0.5.x effectively became the stable releases. So we ended up with releases like 0.5.74 alpha 6. In my opinion quite confusing.

The new scheme is a lot simpler. There will be a two digit version number with optionally a suffix for development releases. The next stable release will be 0.6. In the path to it, there will be 0.6betaX releases and 0.6rcX releases. After the 0.6 release the next will be 0.7 and so on. After 0.9 the next is 1.0, so no more .74 releases

I’ve released 0.6rc1 today, and expect 0.6 stable to be out shortly.

Support for source port randomization in Vuurmuur

Victor Julien — Fri, 25 Jul 2008 21:50:59 +0000

One of the workarounds for the current DNS problems is that servers introduce source port randomization. So it’s time for you to patch your DNS server so it uses random source ports. If for some reason you are unable to do that, iptables can help. Michael Rash has a good write up of how that works here.

In Vuurmuur there is now a per rule option, that can be enabled for the SNAT, MASQ, PORTFW, DNAT and BOUNCE actions, called ‘random’. This passes the ‘–random’ option to the iptables rules Vuurmuur creates. Note that you need a recent distro for this. Debian Etch is too old, Ubuntu Hardy is fine. The new functionality is just released in Vuurmuur 0.5.74 alpha 6. Check it out!

*UPDATE 29/07/08* it turns out iptables/netfilter does not undo existing randomization so removed the text suggesting that.