This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Are there any Updates planed for the last UTM lifecyle ?

Or is this thing complete dead? 

nothing much  arround in the last days .

Whats the deal with the IPS hotfix ?  Issue solved ? anything new ?



This thread was automatically locked due to age.
Parents Reply Children
  • I finally ripped the bandaid off a few weeks ago and moved on to something else.  UTM is a dead horse at this point, barely on life support. It might as well be EOL now.

  • What kind of hotfix are you referring to? 

    __________________________________________________________________________________________________________________

  • We will continue to produce updates as necessary through to the EOL to address impactful issues and security fixes. We expect to publish at least one more release before the end of this calendar year and more in 2025.

    If you are referring to the IPS issue that a few customers experienced around the release 9.719, that issue is being addressed entirely through pattern updates and does not require a firmware update. Although they are called 'pattern' updates, the IPS patterns also include the Snort engine itself.

  • I'm interest to know what you migrated to and why.

  • I moved to pfsense (after 8 years of UTM). I will miss the global object concept (define an entity once, use it where ever applicable), but *sense is far superior in its firewall configuration and nat capabilities. There's an INVERT flag available which can apply towards hosts or ports. IE, define a rfc1918 ip scope then use invert scope to limit host access to internet only targets (not on local subnet). Firewall rules are organized by interface, in addition to "floating" rules which can apply to multiple interfaces (and thus need to be defined once).

    For malware and adblocking im using pfblockerng with a number of lists.  There's also builtin wireguard support. I had issues with my ISP blocking adguard dns access (dns.adguard.com). Established a wireguard tunnel to cloudflare warp (free); set that as the gateway for any queries coming off the DNS server (adguard home, self hosted) using port 53/853 UDP.  All dns traffic is now fully encrypted between the dns server and upstream end points. I ran something similar when on UTM, except the wireguard client ran on the dns server instead of the firewall.

    I last looked at xg/sfos last year and its layout, ui and flow still seemed bonkers to me. Hard to move forward with it when the main UI itself is difficult to see with no options for different color schemes/themes. Too locked down for my needs as well.  The isp, att fiber uses 802.1x authentication. If one doesn't want to use their provided CPE, 802.1x needs to happen in software using extracted credentials. This worked in UTM using a self compiled wpa_supplicant, but wasn't worth the effort to even attempt with xg/sfos.  Pfsense includes and supports wpa_supplicant along with listening on vlan0 for both wpa_supplicant and dhclient right out of the box - something the isp uses to handle wan access and dhcp.

    Both UTM and now pfsense are virtualized under proxmox. In terms of cpu use, idle is better, under load is worse. This is tolerable given full line speed internet use is minimal.

    The conversion process is still a work in progress as I focus on various things I need to tweak or adjust. Sometime this month I will tackle haproxy (waf equivalent).

  • Ah yes, I remember the wpa_supplicant issue.

    Hope pfSense works out. You no longer will need to use a separate device for pihole or adguard home.

    This will sound weird, but I tried OPNsense and did not care for the interface. I also had no desire to try pfSense because I wanted to use Zenarmor (which is not supported by pfSense), but even that was too limited and expensive.

  • I don't care much for the opnsense ui either.  I find it as difficult to view as XG.  It does however support different themes/colors.  The UI is reminiscent of the older tomato firmware for the  routers. Expanding and collapsing left margin menus.  PF on the other hand is more like ddwrt or the linksys fw, top rows with tabs below for different functions.

    It's possible to get zenarmour installed in pf, but I don't think I will be doing so.  Maybe suricatta.