Wish list....

Murus
TonO
Posts: 25
Joined: Fri Dec 26, 2014 9:45 am

Wish list....

Post by TonO » Tue Dec 30, 2014 4:59 pm

I would love to see a button to bring all windows of the Murus Logs Visualizer (VERY GOOD application!) to the front.
Even better would be to have the windows "always on top".
While debugging, these windows add significant value when easily reachable; currently they are getting delved under other windows.

hany
Posts: 481
Joined: Wed Dec 10, 2014 5:20 pm

Re: Wish list....

Post by hany » Sun Jan 04, 2015 2:33 pm

Thank you TonO.
My two cents about Logs Visualizer: it may initially appear like a simple Murus add-on, but in my opinion it is probably the most important tool for PF. More than Murus. This is the reason why we decided to make Logs Visualizer a standalone app, that can be used also by experienced administrator that does not need Murus (or any other frontend) to configure their PF firewalls.
Let's face the true: you can use the shell terminal and create a PF configuration by hand, without the help of Murus. Yes, it's hard, it's somehow difficult to remember rule syntax, and it's a time-consuming task if you don't configure PF firewalls every day. And it's also hard to manage over time. Murus helps a lot and speeds up the process of learning PF, but the true is that you can configure PF without the help of Murus. It's harder to manage text files without graphical visualization, but you can achieve the same exact PF behavior using shell terminal. What you can't do with the shell terminal is achieve the same result you get with Logs Visualizer. Yes, you can watch and search logs with Console.app or reading the log file, but you know better than me, that's a pain. Logs Visualizer features cannot be reproduced using the shell terminal. Information provided by Logs Visualizer are the reason why Murus exists. So, despite being a companion app, Logs Visualizer is actually the center of the Murus ecosystem, it is the place where the user sees PF in action and where he/she understands what PF does and why.

So, we will put our best efforts to improve it. We are aware that there are a lot of limitations and that the user interface can be improved.
Both your advices has been recorded and are on top of our Murus Logs Visualizer TO-DO list :)

megumi
Posts: 37
Joined: Wed Dec 31, 2014 2:31 pm

Re: Wish list....

Post by megumi » Tue Jan 13, 2015 11:40 am

I would like to request an additional feature.

When I used to use Ice Floor, there was a feature to incorporate (and regularly update) the block list (?) from Emerging Threats website. Can Murus have something similar?

By manually visiting the site, I saw the file http://rules.emergingthreats.net/fwrule ... -ALL.rules. I downloaded the rules-file, created a new group called 'Emerging_Threats', importing the IP addresses from the rules-file into it, and added the group to the black list. I hope this will block both inbound and outbound traffic to/from the IP addresses known to be dangerous.

I wish Murus can have a feature to let me do this more easily. In particular, I think it will be wonderful if Murus can have a small component that runs in the background all the time to keep the black list updated by checking the EmergingThreats site daily.

hany
Posts: 481
Joined: Wed Dec 10, 2014 5:20 pm

Re: Wish list....

Post by hany » Tue Jan 13, 2015 3:16 pm

megumi wrote:I would like to request an additional feature.

When I used to use Ice Floor, there was a feature to incorporate (and regularly update) the block list (?) from Emerging Threats website. Can Murus have something similar?
We will add this feature in next major release.
megumi wrote:By manually visiting the site, I saw the file http://rules.emergingthreats.net/fwrule ... -ALL.rules. I downloaded the rules-file, created a new group called 'Emerging_Threats', importing the IP addresses from the rules-file into it, and added the group to the black list. I hope this will block both inbound and outbound traffic to/from the IP addresses known to be dangerous.
Yes, this is exactly what it does. And you did it absolutely in the right way. Traffic from/to emergingthreats addresses will be blocked. The block is provided by a PF rule using the "quick" option, so this block cannot be overridden by forthcoming PF rules. These addresses are definitely blocked.
megumi wrote:I wish Murus can have a feature to let me do this more easily. In particular, I think it will be wonderful if Murus can have a small component that runs in the background all the time to keep the black list updated by checking the EmergingThreats site daily.
I agree with you. The interface will be a simple checkbox button like "Block Emerging Threats" with the option to set the time between each autoupdate. Like IceFloor.
Later I will try to find the time to code a script, so you can enable the emergingthreats autoupdate just right now, using murus 1.0.1.

megumi
Posts: 37
Joined: Wed Dec 31, 2014 2:31 pm

Re: Wish list....

Post by megumi » Wed Jan 14, 2015 9:10 am

Thank you, hany!

hany
Posts: 481
Joined: Wed Dec 10, 2014 5:20 pm

Re: Wish list....

Post by hany » Sun Jan 18, 2015 12:39 am

megumi

here it is Murus Automated Operations Script 1.0... :)
It is a bash script that adds some features to Murus 1.0.2:

- Download and automatically update emerging_threats every 20 minutes
- Reset port knocking authorized and blocked IPs every 20 minutes
- Reset brute force blocks every 20 minutes

The ZIP file contains a very important README file. Please follow it strictly. The previous way you used to block emerging threats was wrong, I just realized it today. Please look the README file for a working solution.
It is really important to say: this is experimental unsupported hack for Murus 1.0.2. These features will be for sure added to future releases of Murus. We don't know when :) This is public domain code so feel free to contribute and share.

http://www.murusfirewall.com/downloads/ ... pt-1.0.zip

megumi
Posts: 37
Joined: Wed Dec 31, 2014 2:31 pm

Re: Wish list....

Post by megumi » Sun Jan 18, 2015 10:11 am

Hello hany,

Thank you for this. I downloaded both Murus 1.0.2 and murusautoscript-1.0.zip. I read the README file in the ZIP archive and installed the two files, following your instructions in the README file.

In the file it.murus.bg.plist, I changed the time property from 1200 to 3600. I thought every hour is probably good enough for me, rather than every 20 minutes.

In Murus, I already had a group 'emerging_threats' from my attempt as explained in my post previously, but it was not empty and it was also added to the black list (with red dot on the icon). So, I deleted all IP addresses from the group to make it empty, and I also removed it from the black list. As a result, the icon of the group looks grey (instead of black) and without the red dot.

When adding the custom rule in Murus, instead of doing it manually, I used the provided GUI. Under 'Options', I ticked 'log' as well as 'quick'. In the configuration window, the rule appeared as:
[red down triangle] ! [person icon] block in log quick proto {tcp, udp} from <emerging_threats> to any

I hope what I did is ok. I haven't seen any inbound block incidences in the Murus Logs Visualizer yet, and I hope I will never see any. But it looks like everything is working ok to me.

I opened your shell script file to take a look at the codes. I would gladly contribute and share if I could, but, alas, with my current knowledge, the codes were mostly beyond me. I am just grateful that you made this so quickly.

For the sake of my family members, I look forward to a future version of Murus which will incorporate these extra security features without having to do these manual installations/configurations, because they would not be very comfortable in following these manual steps.

hany
Posts: 481
Joined: Wed Dec 10, 2014 5:20 pm

Re: Wish list....

Post by hany » Sun Jan 18, 2015 4:51 pm

hi megumi

[red down triangle] ! [person icon] block in log quick proto {tcp, udp} from <emerging_threats> to any

this rule is correct, and your overall procedure seems to be correct. The "emerging_threats" group will stay with grey icon, and if you look at its content with Murus it will look empty. The corresponding pf table <emerging_threats> will be filled with ip addresses from Emerging Threats web site. You can check it using Murus PF Browser: click the house button, then look at the right column, select "emerging_threats" and click the button to see the content. Please note that a bug prevents the scroll bar to show up on this popover view, but you can use your mouse wheel to scroll the ip list. Another way to display the emerging_threats pf table ip list is to use the shell terminal and issue the shell command:
sudo pfctl -t emerging_threats -Ts

Again, please note the difference between the "emerging_threats" Murus group, and the "emerging_threats" pf table: they are different:
The Murus group is empty and will be empty forever.

Please note also that the pf table will be updated every 20 minutes by the script you just installed. If your Mac does not find a Internet connection at boot (or if the emerging threats web site is down) the emerging_threats pf table will be empty. The script will try to load it following its time schedule.

Idea:
megumi probably you can further enhance your protection level adding a second custom rule.
Infact the only one rule you have added is to block inbound traffic from dangerous ip addresses to your ip.
The second rule you may want to add is a rule to block outbound traffic from your mac to dangerous ip addresses.
The rule may appear in the Expanded Configuration window like this:

[red up triangle] ! [person icon] block out log quick proto {tcp, udp} from any to <emerging_threats>


We will for sure add these feature in Murus. Everything will be automated, and all options will be available with sliders and buttons. The installation process will be completely transparent to the user.

megumi
Posts: 37
Joined: Wed Dec 31, 2014 2:31 pm

Re: Wish list....

Post by megumi » Sun Jan 18, 2015 6:05 pm

Hello hany,

Thanks for your suggestion about adding an outbound rule. I did as you suggested.

I also confirmed in the Murus PF browser that the table <emerging_threats> is populated with lots of IP addresses.

I feel better protected. Thanks again.

megumi
Posts: 37
Joined: Wed Dec 31, 2014 2:31 pm

Re: Wish list....

Post by megumi » Thu Mar 05, 2015 3:40 pm

If anyone reading through this tread and are interested in blocking banned URLs from emergingthreats.net, the 'hack' solution 'murusautoscript' is no longer necessary, because Murus 1.1 incorporates the same function as an easily configurable GUI feature through its preferences. If anyone has used the murusautoscript hack with Murus 1.0.2, then undo the setup by removing the plist and script files from the filesystem and also removing the 'emerging_threats' group and inbound/outbound custom rules.

Post Reply