Firezone logo light
Jamil Bou Kheir

Founder

October 2025 Devlog

October delivered substantial improvements to Gateway observability, Linux networking stack refinements, and new deployment mechanisms.

Flow Logging Infrastructure

The Gateway now implements comprehensive flow logging, providing detailed visibility into network traffic patterns and client behavior.1 Each flow record captures client version, device information, identity details, and actor metadata, enabling correlation between network events and user sessions.2 Resource names and addresses are embedded directly in flow logs, eliminating the need to cross-reference multiple data sources when analyzing traffic.3 Domain name capture at the flow level provides insight into actual destinations rather than just IP addresses.4

Structured JSON log output support enables direct integration with existing log aggregation pipelines and SIEM systems.5 The default log level for Gateway and headless client has been adjusted to INFO, reducing noise while maintaining operational visibility.6

Linux Routing Architecture

A significant architectural change introduces tiered routing tables to address conflicts between link-scoped and Firezone-configured routes.7 The implementation uses three distinct routing tables with rule-based priorities: Firezone CIDR routes take precedence, followed by synced link-scope routes, with the Internet Resource occupying the lowest priority tier. This approach ensures deterministic routing behavior while maintaining access to local network resources when the Internet Resource is active.

Debian Package Distribution

Native Debian packages now provide a standard deployment path for Gateway installations on Debian and Ubuntu systems.8 The packaging includes full systemd integration with support for systemd credentials, enabling secure token management without exposing secrets in configuration files.9

Apple Network Interface Management

Several fixes address persistent issues with utun interface handling on macOS. The client now properly tears down the utun interface on termination, preventing interface number increments that could eventually exhaust available interfaces.10 A race condition where setConfiguration calls during disconnected states caused spurious interface creation has been resolved.11

CLI Security Enhancements

The command-line interface implements improved secret handling mechanisms, reducing the risk of credential exposure through process listings or shell history.12

That wraps up October's developments. The focus on observability and deployment tooling establishes a foundation for more sophisticated monitoring and easier large-scale deployments.

Footnotes

  1. feat(gateway): add flow-logs MVP

  2. feat(gateway): extend flow logs with more client properties

  3. feat(gateway): emit resource name and address in flow logs

  4. feat(gateway): capture domain name of flow

  5. feat(gateway): add option for outputting logs as JSON

  6. feat(gateway,headless-client): set default log level to INFO

  7. fix(linux): introduce tiered routing tables

  8. feat(gateway): create debian package

  9. feat(gateway): support systemd credentials

  10. fix(apple/macos): clean up utun on quit

  11. fix(apple): don't call setConfiguration when not connected

  12. feat(fz-cli): better secret handling

Firezone Newsletter

Sign up with your email to receive roadmap updates, how-tos, and product announcements from the Firezone team.

Sign up for our newsletter