Shopping Product Reviews

5 open source firewalls you should know about

Despite the fact that pfSense and m0n0wall seem to get the most consideration in the open source firewall/router market, with pfSense outperforming m0n0wall in recent years, there are several excellent firewall/router distributions available on both Linux and Linux. as in BSD. All these projects are based on the native firewalls of their respective operating systems. Linux, for example, incorporates netfilter and iptables into its kernel. OpenBSD, on the other hand, uses PF (Packet Filter), which replaced IPFilter as FreeBSD’s default firewall in 2001. The following is a (non-exhaustive) list of some of the firewall/router distributions available for Linux and BSD, along with some of its capabilities.

[1] smooth wall

The open source Smoothwall Project was created in 2000 to develop and maintain Smoothwall Express, a free firewall that includes its own security-hardened GNU/Linux operating system and an easy-to-use web interface. SmoothWall Server Edition was the initial product of SmoothWall Ltd., released on 11-11-2001. It was essentially SmoothWall GPL 0.9.9 with support provided by the company. SmoothWall Corporate Server 1.0 was released on December 17, 2001, a closed source fork of SmoothWall GPL 0.9.9SE. Corporate Server included additional features, such as SCSI support, along with the ability to increase functionality through add-on modules. These modules included SmoothGuard (content filtering proxy), SmoothZone (multiple DMZs), and SmoothTunnel (advanced VPN features). Other modules released over time included modules for traffic shaping, antivirus, and antispam.

A variation of Corporate Server called SmoothWall Corporate Guardian has been released, integrating a fork of DansGuardian known as SmoothGuardian. School Guardian was created as a variant of Corporate Guardian, adding Active Directory/LDAP authentication support and firewall features in a package designed especially for use in schools. December 2003 saw the release of smoothwall Express 2.0 and a variety of comprehensive written documentation. The alpha version of Express 3 was released in September 2005.

Smoothwall is designed to run effectively on older, cheaper hardware; it will work on any Pentium class CPU and higher, with a recommended minimum of 128 MB of RAM. Also, there is a 64-bit build for Core 2 systems. Here is a list of features:

  • Firewall:
    • Supports LAN, DMZ, and wireless networks, as well as external networks
    • External connectivity via: Static Ethernet, DHCP Ethernet, PPPoE, PPPoA using various USB modems and PCI DSL
    • Port forwarding, DMZ pinholes
    • output filtering
    • timed access
    • Easy-to-use Quality of Service (QoS)
    • Traffic statistics, including totals per interface and per IP for weeks and months
    • IDS via automatically updated snort rules
    • UPnP support
    • List of bad IP addresses to block
  • proxies:

    • Web proxy for accelerated browsing
    • POP3 email proxy with antivirus
    • Instant messaging proxy with real-time log viewing
  • user interface:

    • Responsive web interface that uses AJAX techniques to provide real-time information
    • Real-time traffic graphs
    • All rules have an optional comment field for ease of use.
    • Log viewers for all major subsystems and firewall activity
  • Maintenance:

    • Backup Settings
    • Easy one-click application of all pending updates
    • Shutdown and restart for UI
  • Other:

    • Time service for network
    • Develop Smoothwall yourself using self-hosted “Devel” builds

[2] IPCop

IPCop, a stateful firewall built on the Linux netfilter framework that was originally a fork of the Linux SmoothWall firewall, is a Linux distribution that aims to provide an easy to manage firewall appliance based on PC hardware. Version 1.4.0 was introduced in 2004, based on the LFS distribution and a 2.4 kernel, and the current stable branch is 2.0.X, released in 2011. IPCop v. 2.0 introduces some significant improvements over 1.4, including the following:

  • Based on Linux kernel 2.6.32
  • New hardware support, including Cobalt, SPARC, and PPC platforms
  • New installer, allowing you to install to flash or hard drives, and choose interface cards and assign them to particular networks
  • Access to all web interface pages is now password protected
  • A new user interface, including a new scheduler page, more pages in the status menu, an updated proxy page, a simplified DHCP server page, and a revised firewall menu
  • The inclusion of OpenVPN support for virtual private networks, as a substitute for IPsec

IPCop v. 2.1 includes bug fixes and a number of additional enhancements, including the use of Linux kernel 3.0.41 and the URL filter service. Also, there are many plugins available such as advanced QoS (traffic setting), email virus check, traffic overview, extended interfaces to control proxy and many more.

[3] IP Fire

IPFire is a free Linux distribution that can act as a router and firewall, and can be maintained through a web interface. The distribution offers select servers and can be easily expanded to a SOHO server. It offers enterprise-level network protection with a focus on security, stability, and ease of use. A variety of plugins can be installed to add more features to the base system.

IPFire employs a Stateful Packet Inspection (SPI) firewall, which is based on netfilter. During IPFire installation, the network is configured in separate segments. This segmented security scheme means that there is a place for every machine on the network. Each segment represents a group of computers that share a common security level. “Green” represents a safe area. This is where all the regular clients will reside and is generally understood as a wired local area network. Customers in Green can access all other segments of the network without restrictions. “Red” indicates danger or the Internet connection. Nothing on the network can go through the firewall unless specifically configured by the administrator. “Blue” represents the wireless part of the local network. Since the wireless network has the potential for abuse, it is uniquely identified and specific rules govern clients on it. Clients on this network segment must have explicit permission before they can access the network. “Orange” represents the demilitarized zone (DMZ). All servers that are publicly accessible are segregated from the rest of the network here to limit security breaches. Additionally, the firewall can be used to control outgoing Internet access from any segment. This feature gives the network administrator complete control over how their network is configured and secured.

One of the unique features of IPFire is the degree to which it incorporates intrusion detection and prevention. IPFire incorporates Snort, the free Network Intrusion Detection System (NIDS), which analyzes network traffic. If something abnormal happens, it will log the event. IPFire allows you to view these events in the web interface. For automatic prevention, IPFire has a plugin called Guardian that can be optionally installed.

IPFIre comes with many front-end drivers for high-performance virtualization and can run on various virtualization platforms, including KVM, VMware, Xen, and others. However, there is always the possibility that the security of the VM container could be circumvented somehow and a hacker could gain access beyond the VPN. Therefore, it is not recommended to use IPFire as a virtual machine in a production level environment.

In addition to these features, IPFire incorporates all the features you expect to see in a firewall/router, including a stateful firewall, a web proxy, support for virtual private networks (VPNs) using IPSec and OpenVPN, and traffic shaping.

Since IPFire is based on a recent version of the Linux kernel, it supports much of the latest hardware, such as 10 Gbit network cards and a variety of wireless hardware out of the box. The minimum system requirements are:

  • Intel Pentium I (i586)
  • 128MB RAM
  • 2 GB hard drive space

Some plugins have additional requirements to work smoothly. On a system that matches the hardware requirements, IPFire can serve hundreds of clients simultaneously.

[4] shoreline wall

Shorewall is an open source firewall tool for Linux. Unlike the other firewalls/routers mentioned in this article, Shorewall does not have a graphical user interface. Instead, Shorewall is configured via a bunch of plain text configuration files, although a Webmin module is available separately.

Since Shorewall is essentially an interface to netfilter and iptables, the usual firewall functionality is available. It is capable of network address translation (NAT), port forwarding, registration, routing, traffic shaping, and virtual interfaces. With Shorewall, it’s easy to set up different zones, each with different rules, making it easy to have, for example, relaxed rules on the company intranet while restricting traffic coming from the Internet.

While Shorewall once used a shell-based build interface, since version 4, it also uses a Perl-based interface. IPv6 address support started with version 4.4.3. The latest stable version is 4.5.18.

[5] pfSense

pfSense is an open source router/firewall distribution based on FreeBSD as a fork of the m0n0wall project. It is a stateful firewall that incorporates much of the functionality of m0n0wall, such as NAT/port forwarding, VPN, traffic shaping, and captive portal. It also goes beyond m0n0wall as it offers many advanced features such as load balancing and failover, the ability to only accept traffic from certain operating systems, easy MAC address spoofing, and VPN using the OpenVPN and L2TP protocols. Unlike m0n0wall, where the focus is more on embedded usage, pfSense’s focus is on full PC installation. However, a version intended for embedded use is provided.

Leave a Reply

Your email address will not be published. Required fields are marked *