OpenBSD Journal

ComixWall ISG 4.1b released

Contributed by merdely on from the last-comix-standing dept.

Soner Tari writes about his Internet Security Gateway (ISG) project:

The first public release of ComixWall ISG 4.1b is ready for download.

ComixWall is developed on OpenBSD using ports/packages and other software, and uses only free/open source software licensed under either BSD or GPL. ComixWall is freely available for all. The project goal is to have all the advanced features of many commercial and closed-source (some half open source) ISGs. This is a very serious undertaking, because most of the free and open source firewalls available on the Internet fail to support many of the features available on those commercial and closed-source ISGs.

Soner continues:

I have been working on this project for more than a year now. To achieve its current feature set, I had to port a couple of extra software too:

  • smtp-gated (which I have submitted to ports@, but I see it is not committed yet),
  • p3scan (v2.3.2),
  • dansguardian (which has been added to ports tree very recently),
  • pmacct,
  • and fix a bug in snort on amd64.

Perhaps the most important part of ComixWall is its user-friendly web administration and monitoring interface. Here are a couple of its features:

  • Basic settings like system hostname, interface IPs, gateway, hosts file, etc. can be configured via the web interface.
  • pfw is integrated into the web interface so that pf rules can be managed very easily.
  • pf module has a simple AfterHours and privileged/restricted IPs setting, which can be configured using the web interface.
  • symon is the tool used for creating most of the monitoring graphics: CPU load/temperature/fan speed, PF and process graphs, etc.
  • Host network usages and protocol usage graphics are based on pmacct package.
  • Most modules have logs and live logs pages, where users can view and search system and process logs, even the compressed archives!
  • IM proxy can log all of the text messages interchanged.
  • Log files can be downloaded via the web interface.
  • Most modules have statistics and live statistics pages too, where statistics are presented as top lists and bar charts.
  • Most of the modules configuration can be done without going into command line. Some advanced settings can be achieved using the web interface too.
  • There are two users who can login to the web interface: admin and user. Admin can access all of the pages, while user does not have access rights to configuration pages, thus cannot interfere with system settings, cannot even change user password (i.e. you can safely give the user password to your boss).
  • OpenBSD man pages can be accessed and searched via the web interface.
  • Doxygen documentation of the web interface itself can be viewed on the web interface too (Doxygen has partial PHP support and no shell script support, so take it as it is).
  • It is written in PHP and uses gettext. So the web interface can be translated into other languages very easily (current release has partial Turkish support for example, I am working on finalizing the translation soon).

The todo list of the project (not to mention, of the web interface, which you can view on the doxygen documentation) is very long. At its current state I don't see too many issues, but you can, if you wish, consider this release as the indication of what is to come in the near future. Every help and suggestion is welcome.

ComixWall 4.1b is available as a torrent download. You can find the torrent file on project web site. If you are interested in this project and choose to download the CD iso, I would appreciate if you could seed this torrent.

The following is the description of the torrent file at torrentbox:
Internet Security Gateway developed on OpenBSD, ports/packages, and other open source software. UTM (Unified Threat Management) firewall with packet filter, web filter, anti-virus, anti-spam, misc proxies, and much more. Released under BSD license. Free for all to download and use.

Main services are provided by the following open source projects/software:

  • Firewall functions provided by OpenBSD pf, a powerful and flexible packet filter
  • DansGuardian: content and virus scanning web filter with default domain/url lists
  • Snort: IDS and periodic rule updates by oinkmaster
  • ClamAV: anti-virus daemon with periodic signature updates by freshclam
  • SpamAssassin: content scanning anti-spam daemon
  • IMSpector: IM proxy which supports MSN, IRC, Yahoo, etc.
  • P3scan: POP3 anti-virus/anti-spam proxy
  • smtp-gated: SMTP anti-virus/anti-spam proxy
  • OpenSSH: de-facto standard secure shell
  • OpenBSD spamd: spam deferral daemon
  • Dante: SOCKS proxy
  • Squid: HTTP proxy
  • Apache Web Server (OpenBSD httpd)
  • OpenBSD ftp-proxy
  • DNS server
  • DHCP server

Thanks to these FOSS software and its easy-to-use and mature administration and monitoring web interface, ComixWall ISG can compete with many commercial UTM firewalls in the market. Yet, ComixWall ISG is the only open source UTM firewall running on OpenBSD, the most secure operating system in the world, which is freely available for the public to use and reuse.

Various versions of ComixWall have been running on production systems for more than a year now. So it is quite stable. This is the first public release of ComixWall. Please visit the ComixWall website for further details, documentation, and the screenshots of its user-friendly web administration interface.

(Comments are closed)


Comments
  1. By Anonymous Coward (219.90.147.22) on

    amd64 only?

    Comments
    1. By Soner Tari (81.215.105.114) soner@comixwall.org on http://comixwall.org

      > amd64 only?

      Partial answer to your question is in "Features and Project Status" article on the project web site, probably you've already read.

      Also, I did not have enough resources (time, energy, hardware, etc.) to develop on other platforms. Hopefully, others who find it worth while can help me out there.

      To be exact, last year I had both i386 and amd64 versions, but I was simply not able to cope with the work load, and dropped i386 altogether.


      Comments
      1. By mike (83.31.204.26) on

        > To be exact, last year I had both i386 and amd64 versions, but I was simply not able to cope with the work load, and dropped i386 altogether.
        >

        Am not the OP but fair enough, are there any major issues with an i386 version? I think it would be a perfect drop-in replacement for things like m0n0/pfsense.

        Anyway, seems a fine piece of work.

        a few questions:

        - what's the disk space used once installed?

        - since you've been running it for some time, have you encountered issues with doing packet filtering/AV scanning/spam filtering on the same host? Conceptually, I've always thought it's a good way to DOS a box ;)




        Comments
        1. By Anonymous Coward (81.215.105.114) on

          > are there any major issues with an i386 version?

          Yes, it does not exists :). Joking aside, I stopped working on i386 version in November 2006, if I recall correctly. But there was still one production system running it very recently. It had an awful web interface and was running on OpenBSD 3.9. Nothing to compare with current version.

          > I think it would be a perfect drop-in replacement for things like m0n0/pfsense.

          Actually, in March 2006 I was toying with pfSense, and there were discussions on their maillist about switching to OpenBSD as the host OS, but it never happened. Hence my decision to start the ComixWall project.

          > - what's the disk space used once installed?

          As mentioned in the Quick Installation Guide, 724MB at first boot.

          > - since you've been running it for some time, have you encountered issues with doing packet filtering/AV scanning/spam filtering on the same host? Conceptually, I've always thought it's a good way to DOS a box ;)

          In my experience, a computer with an AMD Sempron 64-bit and 1GB RAM can handle an office with 1-10 PCs and regular needs (i.e. web/smtp/pop3/im connections). Hardware specs should go up as the number of client PCs increase. So you are right, one needs to choose the hardware carefully according to the needs of the office.

          However, unless many processes are turned off, I don't think one could run ComixWall on, say, a Soekris box. That's why I choose to use COTS 64-bit hardware (which are very cheap these days).

  2. By Anonymous Coward (204.80.187.5) on

    out of curiosity, why didn't you drop the amd64 version instead of the i386 version? there are plenty of i386 machines that could run it, and the amd64 machines would work fine with it too.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]