Home

Awesome

UTMFW

UTMFW is a UTM firewall running on OpenBSD. UTMFW is expected to be used on production systems. The UTMFW project provides a Web User Interface (WUI) for monitoring and configuration. You can also use the Android application A4PFFW and the Windows application W4PFFW for monitoring.

UTMFW is an updated version of ComixWall. However, there are a few major changes, such as SSLproxy, Snort Inline IPS, PFRE, E2Guardian, many fixes and improvements to the system and the WUI, and network user authentication. Also note that UTMFW 7.6 comes with OpenBSD 7.6-stable including all updates until October 18th, 2024.

UTMFW supports deep SSL inspection of HTTP, POP3, and SMTP protocols. SSL/TLS encrypted traffic is decrypted by SSLproxy and fed into the UTM services: Web Filter, POP3 Proxy, SMTP Proxy, and Inline IPS (and indirectly into Virus Scanner and Spam Filter through those UTM software). These UTM software have been modified to support the mode of operation required by SSLproxy.

Dashboard

You can find a couple of screenshots on the wiki.

Download

UTMFW runs on amd64 and arm64 architectures. So, the UTMFW project releases installation files in iso and img formats for those architectures.

Amd64:

Arm64:

Make sure the SHA256 checksums are correct.

Features

UTMFW includes the following software, alongside what is already available on a basic OpenBSD installation:

Console

The web user interface of UTMFW helps you manage your firewall:

UTMFW uses the same design decisions and implementation as the PFRE project. See its README for details.

UI Design

How to install

Download the installation iso or img file for your platform and follow the instructions in the installation guide available in the file. Below are the same instructions.

You can also find the output of a sample installation on the wiki.

Installation Guide

UTMFW installation is very intuitive and easy, just follow the instructions on the screen and answer the questions asked. You are advised to accept the default answers to all the questions. In fact, the installation can be completed by accepting default answers all the way from the first question until the last. The only exceptions are network configuration, password setup, and installation disk selection.

Auto allocator will provide a partition layout recommended for your disk. Suggested partitioning should be suitable for most installations, simply accept it. Do not delete or modify the msdos partition (for arm64 installation).

Make sure you configure two network interfaces. You will be asked to choose internal and external interfaces later on. You can configure the internal wifi interface in Host AP mode.

All of the install sets and software packages are selected by default, simply accept the selections.

While installing using the img file, when the installation script asks the location for the install sets or the packages, you should choose the disk option and that the disk partition is not mounted yet, and then select the device name for the installation disk (usually sd0 or sd1, but type ? to see device info first). The default path for install sets and packages the script offers is the same path as in the img file too, so you just hit Enter at that point.

If the installation script finds an already existing file which needs to be updated, it saves the old file as filename.orig.

Installation logs can be found under the /root directory.

You can access the web administration interface using the IP address of the system's internal interface you have selected during installation. You can log in to the system over ssh from internal network.

Web interface user names are admin and user. Network user is utmfw. All are set to the same password you provide during installation.

References:

  1. INSTALL.amd64 in the installation iso file and INSTALL.arm64 in the installation img file.
  2. Supported hardware for amd64 and supported hardware for arm64.
  3. OpenBSD installation guide.

Installation Tips

A few notes about UTMFW installation:

How to build

The purpose in this section is to build the installation iso or img file using the createiso or createimg script, respectively, at the root of the project source tree. You are expected to be doing these on an OpenBSD 7.6 and have installed git, gettext, and doxygen on it.

Build summary

The create script:

However, the source tree has links to OpenBSD install sets and packages, which should be broken, hence need to be fixed when you first obtain the sources. Make sure you see those broken links now. So, before you can run the create script, you need to do a couple of things:

Note that you can strip down xbase and xfont install sets to reduce the size of the iso and img files. Copy or link them to the appropriate locations under openbsd/utmfw.

Now you can run the createiso or createimg script, which should produce an iso or img file, respectively, in the same folder as itself.

Build steps

The following are steps you can follow to build UTMFW yourself. Some of these steps can be automated by a script. You can modify these steps to suit your needs.