SkillAgentSearch skills...

UTMFW

UTM Firewall on OpenBSD

GenerateConvertImprove

Install / Use

/learn @sonertari/UTMFW
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

UTMFW

UTMFW is a UTM firewall running on OpenBSD. UTMFW is expected to be used on production systems. The UTMFW project provides a Web User Interface (WUI) for monitoring and configuration. You can also use the Android application A4PFFW and the Windows application W4PFFW for monitoring.

UTMFW is an updated version of ComixWall. However, there are a few major changes, such as SSLproxy, Snort Inline IPS, PFRE, E2Guardian, many fixes and improvements to the system and the WUI, and network user authentication. Also note that UTMFW 7.8 comes with OpenBSD 7.8-stable including all updates until November 11th, 2025.

UTMFW supports deep SSL inspection of HTTP, POP3, and SMTP protocols. SSL/TLS encrypted traffic is decrypted by SSLproxy and fed into the UTM services: Web Filter, POP3 Proxy, SMTP Proxy, and Inline IPS (and indirectly into Virus Scanner and Spam Filter through those UTM software). These UTM software have been modified to support the mode of operation required by SSLproxy.

Dashboard

You can find a couple of screenshots on the wiki.

Download

UTMFW runs on amd64 and arm64 architectures. So, the UTMFW project releases installation files in iso and img formats for those architectures.

Amd64:

  • utmfw78_20251113_amd64.iso

    • SHA256 checksum: 51806e83742f0d6bf1c7a0c0a959f562d97288b32cffbacc25a9247fa87ddd32
    • Tested on VMware

  • utmfw78_20251113_amd64.img

    • SHA256 checksum: ecfd4aa1a39391d2c703ef19d5bbf79d592278f5ee59f4bb25585e20998589ac
    • Tested on bare hardware

Arm64:

  • utmfw78_20251113_arm64.iso

    • SHA256 checksum: 7efc53d84588beadffd39f07dda6811b21050c657eda33876980dd59d641d901
    • Tested on UTM for macOS

  • utmfw78_20251113_arm64.img

    • SHA256 checksum: 314a023f7a764579f0e509a073eb363e36884d0172b68c3878980ec8171d631a
    • Tested on Raspberry Pi 4 Model B

Make sure the SHA256 checksums are correct.

Features

UTMFW includes the following software, alongside what is already available on a basic OpenBSD installation:

  • SSLproxy: Transparent SSL/TLS proxy for deep SSL inspection
  • PFRE: Packet Filter Rule Editor
  • E2Guardian: Web filter, anti-virus using ClamAV, blacklists
  • Snort: Intrusion detection and inline prevention system, with the latest rules
  • SnortIPS: Passive intrusion prevention software
  • ClamAV: Virus scanner with periodic virus signature updates
  • SpamAssassin: Spam scanner
  • P3scan: Anti-virus/anti-spam transparent POP3 proxy
  • Smtp-gated: Anti-virus/anti-spam transparent SMTP proxy
  • Dante: SOCKS proxy
  • IMSpector: IM proxy which supports IRC and others.
  • OpenVPN: Virtual private networking
  • Symon: System monitoring software
  • Pmacct: Network monitoring via graphs
  • Collectd: System metrics collection engine
  • Dnsmasq: DNS forwarder
  • PHP

Console

The web user interface of UTMFW helps you manage your firewall:

  • Dashboard displays an overview of system status using graphs and statistics counters. You can click on those graphs and counters to go to their details on the web user interface.
  • System, network, and service configuration can be achieved on the web user interface.
  • Pf rules are maintained using PFRE.
  • Information on hosts, interfaces, pf rules, states, and queues are provided in tabular form.
  • System, pf, network, and internal clients can be monitored via graphs.
  • Logs can be viewed and downloaded on the web user interface. Compressed log files are supported.
  • Statistics collected over logs are displayed in bar charts and top lists. Bar charts and top lists are clickable, so you don't need to touch your keyboard to search anything on the statistics pages. You can view the top lists on pie charts too. Statistics over compressed log files are supported.
  • The web user interface provides many help boxes and windows, which can be disabled.
  • Man pages of OpenBSD and installed software can be accessed and searched on the web user interface.
  • There are two users who can log in to the web user interface. Unprivileged user does not have access rights to configuration pages, thus cannot interfere with system settings, and cannot even change user password (i.e. you can safely give the unprivileged user's password to your boss).
  • The web user interface supports languages other than English: Turkish, Chinese, Dutch, Russian, French, Spanish.
  • The web user interface configuration pages are designed such that changes you may have made to the configuration files on the command line (such as comments you might have added) remain intact after you configure a module using the web user interface.

UTMFW uses the same design decisions and implementation as the PFRE project. See its README for details.

UI Design

How to install

Download the installation iso or img file for your platform and follow the instructions in the installation guide available in the file. Below are the same instructions.

You can also find the output of a sample installation on the wiki.

Installation Guide

UTMFW installation is very intuitive and easy, just follow the instructions on the screen and answer the questions asked. You are advised to accept the default answers to all the questions. In fact, the installation can be completed by accepting default answers all the way from the first question until the last. The only exceptions are network configuration, password setup, and installation disk selection.

Auto allocator will provide a partition layout recommended for your disk. Suggested partitioning should be suitable for most installations, simply accept it. Do not delete or modify the msdos partition (for arm64 installation).

Make sure you configure two network interfaces. You will be asked to choose internal and external interfaces later on. You can configure the internal wifi interface in Host AP mode.

All of the install sets and software packages are selected by default, simply accept the selections.

While installing using the img file, when the installation script asks the location for the install sets or the packages, you should choose the disk option and that the disk partition is not mounted yet, and then select the device name for the installation disk (usually sd0 or sd1, but type ? to see device info first). The default path for install sets and packages the script offers is the same path as in the img file too, so you just hit Enter at that point.

If the installation script finds an already existing file which needs to be updated, it saves the old file as filename.orig.

Installation logs can be found under the /root directory.

You can access the web administration interface using the IP address of the system's internal interface you have selected during installation. You can log in to the system over ssh from internal network.

Web interface user names are admin and user. Network user is utmfw. All are set to the same password you provide during installation.

References:

  1. INSTALL.amd64 and INSTALL.arm64 in the installation files.
  2. Supported hardware for amd64 and supported hardware for arm64.
  3. OpenBSD installation guide.

Installation Tips

A few notes about UTMFW installation:

  • Thanks to a modified auto-partitioner of OpenBSD, the disk can be partitioned with a recommended layout for UTMFW, so most users don't need to use the label editor at all.
  • All install sets including siteXY.tgz are selected by default, so you cannot 'not' install UTMFW by mistake.
  • OpenBSD installation questions are modified according to the needs of UTMFW. For example, X11 related questions are never asked.
  • Make sure you have at least 2GB RAM, ideally 4GB if you enable MFS.
  • A 16GB disk should be enough.
  • If you install on an SD card, make sure it is fast enough. If you install on a slow disk, but you have enough RAM, you can enable memory-based file system (MFS), which is the default.
  • If the system fails to boot after intallation, try the following while partitioning the disk:
    • Choose GPT, not Whole or OpenBSD. For example, this may happen on amd64 bare hardware with a USB disk.
    • Reinit the disk to update its MBR. For example, this may happen on Raspberry Pi 4 with a USB disk previously partitioned with GPT.
  • After installation:
    • When you first try to log in to the WUI, ignore the certificate warning issued by your web browser and proceed to the WUI.
    • Download the ca.crt from the SSLproxy Config page on the WUI, and install it on your web browser or other client application as a trusted CA certificate. You can install the ca.crt in the trust store on Android phones, but Android applications may not use that trust store. So you may need to use Pass filter rules of SSLproxy to pass through connections from such applications.
  • Make sure the date and time of the system is correct during both installation and normal operation, and select the correct timezone during installation. Otherwise:
    • The "Not Valid Before" date of the CA

sonertari

View profile

View on GitHub
GitHub Stars176
CategoryProduct
Updated3d ago
Forks29
sonertari/UTMFW

Languages

PHP

Security Score

100/100

Audited on Apr 3, 2026

No findings