MurOS [BETA]
Why MurOS Features Install Docs GitHub

MurOS - First deployment in 15 minutes

This guide walks you from a fresh Debian install to a working firewall.

There are two ways to install:

  • Option A (recommended): the MurOS installer ISO. Boot it and walk away. It installs Debian and MurOS unattended, no questions asked. The installed system logs in with root / root by default (a value that types the same on AZERTY and QWERTY, so the first console login is never blocked by a keyboard layout mismatch). Change it right after the first login. Build instructions: packaging/iso/README.md.
  • Option B: install on an existing Debian. Run the one-line installer on a machine you already provisioned. This is the path detailed below; here MurOS keeps your existing root password unchanged.

Prerequisites

  • An x86_64 machine (VM or bare metal):
  • 1 vCPU minimum, 2 vCPU recommended
  • 2 GB RAM minimum, 4 GB recommended
  • 8 GB disk minimum
  • 2 network interfaces: 1 for WAN (Internet/uplink), 1 for LAN (internal network)
  • Debian 13 (trixie) netinst ISO: https://www.debian.org/distrib/netinst
  • Root access via console or SSH

MurOS also works on Ubuntu 22.04+ but the official V1 target is Debian 13.

Step 1: install Debian 13 minimal (10 min)

Boot the netinst, standard install:

  • Locale: your choice
  • Hostname: firewall (or whatever you like)
  • Domain: local or your domain
  • Root user: set a password (you can change it later from the UI)
  • Normal user: you can skip it
  • Partitioning: auto LVM, everything on one partition
  • Software selection: uncheck EVERYTHING except SSH server and standard system utilities. No desktop.

Reboot. Login as root via console or SSH.

Step 2: install MurOS (2 min)

From the firewall, as root:

curl -fsSL https://apt.muros.org/install.sh | sudo bash

At the end of the script you will see something like:

MurOS v0.9.0-rcXX installed.

  UI     : http://192.168.1.10/
  Login  : root  (use the existing root password, unchanged by MurOS)
  Log    : /var/log/muros-install.log

Note the IP and the credentials.

Step 3: first UI connection (1 min)

Open https://<IP>/ in your browser. Accept the self-signed certificate (generated by MurOS, you will replace it with a real one later).

Log in as root with the existing system root password (MurOS does not change it).

Mandatory first action: top-right menu > My account > Change password.

Step 4: configure the network (2 min)

Network > Interfaces menu:

WAN interface

  1. Click on the interface facing the Internet (e.g. eth0 or ens3)
  2. IP mode: static or dhcp depending on your uplink
  3. If static: IP + CIDR mask (e.g. 192.168.1.10/24), gateway, DNS
  4. Description: WAN
  5. Save

LAN interface

  1. Click on the interface facing the internal network (e.g. eth1)
  2. IP mode: static
  3. IP: e.g. 10.0.0.1/24
  4. Description: LAN
  5. Save

Apply

An orange banner appears at the top: "2 unapplied network changes". Click Apply. A confirmation countdown modal opens (60s by default). Check that you still have UI access then Confirm.

Step 5: firewall zones and rules (3 min)

Firewall > Zones menu:

  1. Add zone wan: select the WAN interface
  2. Add zone lan: select the LAN interface
  3. Save

Firewall > Filter rules menu. The default ruleset already drops everything in input and forward, so you add the rules that open what you need:

  • forward lan -> wan, action accept (LAN reaches the Internet)
  • input lan -> firewall, tcp ports 22 and 443, action accept (SSH + UI from the LAN)
  • input lan, protocol icmp, action accept (ping the firewall from the LAN)

The WAN zone keeps no rule toward the firewall, so the box stays closed from the Internet.

Click Apply. A confirmation countdown modal opens (60s by default). Confirm once you have verified your SSH/UI still works.

Step 6: NAT for Internet outbound (1 min)

Firewall > NAT menu:

Add a rule: * Type: masquerade * Egress interface: <your WAN interface> * Source: 10.0.0.0/24 (your LAN network)

Save + Apply.

Now the LAN can reach the Internet through the firewall.

Step 7: test from a LAN host (1 min)

Plug a PC into the LAN interface, static IP 10.0.0.50/24 gateway 10.0.0.1 DNS 1.1.1.1.

From the PC:

ping 10.0.0.1     # firewall reachable
ping 1.1.1.1      # Internet OK
curl https://10.0.0.1/  # UI reachable from LAN

If everything responds, your firewall is running.

Next steps (optional)

  • WireGuard VPN: VPN > WireGuard, generate a server key, add a peer
  • TLS certificate: Administration > HTTP access, upload one or regenerate the self-signed cert with your CN
  • Notifications: Observability > Notifications, configure your SMTP smarthost to receive alerts
  • SNMP: Observability > SNMP, to monitor from LibreNMS/Zabbix
  • HA: Administration > High availability, if you have a 2nd firewall, pair them active/passive
  • Remote backup: System > Backups, push snapshots to an SSH/FTP target

Problem? see the FAQ

docs/faq.md covers the classic traps:

  • UI access blocked after apply
  • SSH does not change port
  • SMTP rejects recipients
  • HA backup fails
  • Conntrack out of sync

And if you find yourself locked out (rollback failure, too strict nft rule), the console always keeps root access. One command to reset all rules:

nft flush ruleset
systemctl restart muros-backend

The UI will be reachable again.

Edit this page on GitHub muros/docs