Vuurmuur Development Update

Over the holidays I’ve spent some time refreshing the Vuurmuur code. One major thing that is now done is that the 3 different ‘projects’ (libvuurmuur, vuurmuur and vuurmuur-conf) are now merged into a single ‘project’. This means that a single ‘./configure && make && make install’ now installs everything.

When I originally started Vuurmuur I had much bigger dreams for it than eventually materialized. Also, I didn’t understand autotools very well, so it was easier to keep the project split up. At some point there were even 5 projects!

One very convenient consequence is that development can now be done without system wide installation of the libs. This may sound trivial, but it really speeds things up.

I’ve updated the install script and the debian scripts for this new model as well.

QA

A second point is the use of better QA.

  1. Travis-CI integration. This tests gcc/clang builds for compilation warnings and errors, the install script, debian package generation
  2. Scan-build and cppcheck. Vuurmuur is now clean in scan-build 3.9 and cppcheck 1.77.
  3. Coverity Scan. I’ve registered Vuurmuur with Coverity’s Scan program. Initially there were quite a few issues, although most of them minor. I’ve fixed all of them so now Vuurmuur is clean for Coverity as well.
  4. ASAN/UBSAN: I’m running Vuurmuur with address and undefined behavior sanitizers enabled. Fixed a few issues because of that.

Error handling

One major source of issues with the static checkers was the error handling in vuurmuur_conf. This lead to many completely untested code paths, usually for things like memory allocation failure or other ‘internal’ errors. I’ve simplified that handling enormously, by simply adding a class of ‘fatal’ errors that simply exit vuurmuur_conf in such conditions. This has lead to a smaller and cleaner code base.

User visible changes

Most of the changes are internal, but a few things are user visible.

  1. removal of QUEUE support. ip_queue is long dead and has been replaced with NFQUEUE.
  2. proper sorting of connections in Connection Viewer.
  3. default to black background in vuurmuur_conf

I’m hoping to push out a new release soon(ish). Time contraints will continue to be a big issue though. So if anyone wants to help out, please let me know.

Vuurmuur 0.8rc1 released

I just released a new Vuurmuur version: 0.8rc1. The first release candidate for the 0.8 series. This release improves IPv6 support a lot. The wizard is now also fully functional. Try “vuurmuur_conf –wizard”.

  • Improved IPv6 support: #115
  • Improved Debian packages, switching to nflog as default for logging.
  • Fix connection viewer not showing accounting on newer systems. #141
  • Amd64 packages for Debian and Ubuntu are now available through the apt server. #83
  • Switch from “state” match to “conntrack” match for connection tracking.
  • Services now support possible protocols. #63
  • Add support for rpfilter match. #137

Get this release from the ftp server:
ftp://ftp.vuurmuur.org/releases/0.8rc1/Vuurmuur-0.8rc1.tar.gz

Additionally, amd64 packages for Debian and Ubuntu are now available. See Installation Debian for instructions.

Setting up an IPS with Fedora 17, Suricata and Vuurmuur

I recently found out that Fedora includes Vuurmuur in it’s repositories. Since Suricata is also included, I figured I would do a quick write up on how to setup a Fedora IPS. While writing it turned more into a real “howto”, so I decided to submit it to Howtoforge.

It can be found here one HowtoForge.

Vuurmuur on Fedora is at the 0.7 version, which is still the current stable. It’s rather old though, and it reminds me again I need to make sure the 0.8 branch gets to a stable release soon. The Suricata included in Fedora 17 is 1.2.1, with 1.3.2 expected to land any day now.

The guide sets the user up from base Fedora install to a working IPS, but doesn’t cover any advanced topics such as rule management, event management etc. Still, I hope it’s useful to some, especially those that are intimidated by Vuurmuur’s and Suricata’s initial learning curves.

Looking forward to feedback! 🙂

Vuurmuur 0.8beta4 released

I just released a new Vuurmuur version. The last release was in 2009, so it has been a while.

This release adds basic IPv6 support. The state of the IPv6 support is incomplete, but quite functional.

Supported features are:

– rules generation
– log viewing
– setting IPv6 addresses in hosts, networks and interfaces

Unsupported features are:

– connection viewer
– NAT
– blocklist
– IPv6 address to Vuurmuur name conversion in the log

I’ve been running it myself for a couple of months w/o major issues, so it should be safe to test.

Also new in this release is the support of NFLOG for the traffic log. This means no more cluttering of messages or other system logs. Much of this work has been done by Fred Leeflang.

It’s now also possible to use a “zone” directly in a rule. For Every network in that rule a set of iptables rules will be automatically be created.

Finally, for those that hate the blue background, you can now also set it to black. In vuurmuur_conf, go to “vuurmuur_conf settings” and enable “Use black background”. Restart vuurmuur_conf and you’re set!

Vuurmuur IPv6

The last few years Vuurmuur development has been very slow, not to say pretty much stagnant. This had a couple of reasons. The first is that my attention was drawn to other projects, mostly Suricata these days. The second reason is that Vuurmuur pretty much does all I want. The third reason is that despite some minor contributions, no other developer has stepped up to take over.

Meanwhile, people continued using Vuurmuur, it made it’s way into Debian, got removed from it again, made it’s way into Ubuntu. Lately, every few weeks someone would ask me if Vuurmuur was still being developed. My answer always was “yes, but very slowly”.

I plan to change that. The reason? IPv6. I’ve been using IPv6 on and off over the years, usually through the experimental tunnel service my ISP offered. But a while back my ISP started offering native IPv6 connectivity, which I’m using on a daily basis now. In the feature set Vuurmuur has, IPv6 is the only glaring omission. So, it’s time to address that.

Over the next months my idea is to slowly start adding IPv6 support to Vuurmuur. As I’m already using a simple script the idea is to start with logging support. Then move up from there.

Supporting all current features on IPv6 is going to require a lot of effort. In some cases I’m not even sure we can. But getting at least a basic IPv6 ruleset going should be fairly straightforward. If you’re interested in helping out, please let me know. Any help is greatly appreciated!

Ohloh

Ohloh is a pretty cool site for keeping track of projects and programmers. It’s an easy way to keep track of the development in a project and gives a nice indication of how actively it’s being developed. It has some social networkish features too, such as individual developers giving each other “kudos”.

The code analysis is pretty nice: it gives statistics on code base size, growth, comment ratio, languages used, etc. Per developer it tracks quite a few stats as well.

It also does a estimate of the cost of a project. For the Suricata project it currently estimates cost of 2.1 million USD. Actual cost are significantly less than that, less than half of that. So either we are severely underpaid or the calculation is off quite a bit 🙂

The per developer code statistics show that I’ve “touched” 131k lines of code out of 148k which confirms what I already knew: I need some vacation…

Anyway, check it out. Vuurmuur is on there, as are Snort and ModSecurity.

Oh by the way, Suricata 1.0 coming out tomorrow!