UTM Firewall – Beta

After over three months of hard work, 503 files changed, 11620 insertions, 2538 deletions and 14158 lines changed, we are proud to announce the first beta of UTM firewall modules. Main features are:

• Advanced network configuration (bridges, bonds, alias, ecc)
• Gateway mode (Shorewall)
• Multi WAN support (up to 15)
• Advanced rules
• Firewall objects to ease rules configuration
• Policy routing
• Port forwarding
• Traffic shaping
• Intrusion Prevention (Snort IPS)

The underlying implementation is almost stable and we’ve been used it in production since February. Web interface should work well but it certainly need some love.

Install

To install and test:

yum --enablerepo=nethserver-testing install nethserver-firewall-base nethserver-base nethserver-squid nethserver-nethgui

If you want to try Snort IPS:

yum --enablerepo=nethserver-testing install nethserver-snort

Install it, try it and break it! But then report issues on ML or IRC channel!

Documentation

• Firewall: http://docs.nethserver.org/projects/nethserver-devel/en/latest/gateway.html
• IPS: http://docs.nethserver.org/projects/nethserver-devel/en/latest/ips.html

Known issues

When using multi WAN configuration, the system should configure static routes for link monitoring. If a route disappears, simply execute the following command to restore correct behavior:

signal-event firewall-adjust

Please share with us your experience if you encounter this problem.

What’s next

While testing, we’d like to improve following features before final release:

• update port forward and traffic shaping implementation to support firewall objects
• more explicit firewall rules page with nice colors and icons and integration with hosts defined in DHCP/DNS module
• visual progress tracker for long-running tasks