There are a couple of commercial and open source firewalls available, but none of them run on OpenBSD. OpenBSD is believed by many to be the most secure operating system in the world, thus would be perhaps the first candidate for an ISG.
Main services running on ComixWall are provided by the following open source projects/software:
- Firewall functions provided by OpenBSD pf
- DansGuardian web filter (anti-virus through ClamAV)
- Snort IDS and periodic rule updates by oinkmaster
- ClamAV and periodic signature updates by freshclam
- SpamAssassin
- OpenBSD spamd: spam deferral daemon
- P3scan: POP3 anti-virus/anti-spam proxy
- smtp-gated: SMTP anti-virus/anti-spam proxy
- Dante: SOCKS proxy
- Squid: HTTP proxy
- Apache Web Server (OpenBSD httpd)
- OpenBSD ftp-proxy
- IMSpector: IM proxy which supports MSN, IRC, Yahoo, etc.
- DNS server
- DHCP server
- OpenSSH
ComixWall can be fully configured on the command line just like any other OpenBSD system, but perhaps the most important part of ComixWall is its user-friendly web administration and monitoring interface. Here are a couple of its features:
- Basic settings like system hostname, interface IPs, gateway, hosts file, etc. can be configured via the web interface.
- pfw is integrated into the web interface so that pf rules can be managed very easily.
- pf module has a simple AfterHours and privileged/restricted IPs setting, which can be configured using the web interface.
- symon is the tool used for creating most of the monitoring graphics: CPU load/temperature/fan speed, shared memory and disk usages, PF and process graphs, etc.
- Host network usages and protocol usage graphs are based on pmacct package.
- Most modules have logs and live logs pages, where users can view and search system and process logs, even the compressed archives!
- IM proxy can log all of the text messages interchanged.
- Log files can be downloaded via the web interface.
- Most modules have statistics and live statistics pages too, where statistics are presented as top lists and bar charts. Statistics can be viewed for the compressed archives too!
- Most of the modules configuration can be done without going into the command line. Some advanced settings can be achieved using the web interface too.
- There are two users who can login to the web interface: admin and user. Admin can access all of the pages, while user does not have access rights to configuration pages, thus cannot interfere with system settings, cannot even change user password (i.e. you can safely give the user password to your boss).
- Man pages of OpenBSD and installed software can be accessed and searched via the web interface.
- Doxygen documentation of the web interface itself can be viewed on the web interface too (Doxygen has partial PHP support and no shell script support).
- Web interface is written in PHP and uses gettext, so that the web interface can be translated into other languages very easily (current release has partial Turkish support).
- Web interface configuration pages are designed so that the changes you have made to the configuration files on the command line (such as comments you might have added) stay intact after you configure some module using the web interface.
Installation CD is available as a bittorrent download. You can find the torrent file under Downloads section. However, more user friendly installation may be needed, thus in the plans.
System Administration Guide (SAG) for ComixWall 4.1 can be downloaded under Downloads section too. Besides the SAG, ComixWall web administration interface contains many info and tips boxes.
Today's most COTS computers are 64-bit. These systems have important differences from old 32-bit computers, both in terms of performance and features (such as NX bit). Furthermore, most of the services running on ComixWall mentioned above (such as web content-filter and anti-virus/spam processes) ask for both performance and shared memory. After all, running a 32-bit OS and software on 64-bit hardware would be a wasteful use of resources. Therefore, the first public release of ComixWall runs on 64-bit architectures, thus uses OpenBSD amd64. Future releases will always support amd64.
Since the release of 4.1b, many users asked for an i386 version too. Even though I believe that ComixWall needs a relatively powerful hardware, due to high demand by users, the 4.2 release will have an installation CD iso for i386 as well.
As of the first week of November 2007, ComixWall 4.1b release has seen around 600 downloads. Other than one or two minor issues which could be worked around very easily, there were no major problems reported by users. After all, ComixWall 3.9 and 4.0 with most of the features above were in production use in at least two locations, since June 2006. Therefore, ComixWall may be considered quite stable and feature-rich.
Some of the very important features can be configured only through the command line. Web interfaces for these features will be added in the next releases. These come bundled with OpenBSD:
There are some missing modules too. These missing features are in planned status, but unfortunately may not exists in the first releases. Among them are:
- IMAP proxy with Anti-Virus and Anti-Spam support
- Virus scan on FTP proxy
- Virus scan on IM proxy