Despite the fact that pfSense and m0n0wall seem to get the most consideration in the open source firewall/router market, with pfSense overtaking m0n0wall in recent years, there are several excellent firewall/router distributions available on both Linux and Linux. as in BSD. All of these projects are based on the native firewalls of their respective operating systems. Linux, for example, builds netfilter and iptables into its kernel. OpenBSD, on the other hand, uses PF (Packet Filter), which replaced IPFilter as FreeBSD’s default firewall in 2001. The following is a (non-exhaustive) list of some of the available firewall/router distributions for Linux and BSD, along with some of its abilities.
[1] smooth wall
The Smoothwall Open Source Project was created in 2000 to develop and maintain Smoothwall Express, a free firewall that includes its own security-hardened GNU/Linux operating system and easy-to-use web interface. SmoothWall Server Edition was the initial product of SmoothWall Ltd., released on 11-11-2001. It was essentially SmoothWall GPL 0.9.9 with support provided by the company. SmoothWall Corporate Server 1.0 was released on December 17, 2001, a closed source fork of SmoothWall GPL 0.9.9SE. Corporate Server included additional features, such as SCSI support, along with the ability to increase functionality through add-on modules. These modules included SmoothGuard (content filtering proxy), SmoothZone (multiple DMZs), and SmoothTunnel (advanced VPN features). Other modules released over time included modules for traffic shaping, antivirus, and antispam.
A variation of Corporate Server called SmoothWall Corporate Guardian was released, which integrates a fork of DansGuardian known as SmoothGuardian. School Guardian was created as a variant of Corporate Guardian, adding Active Directory/LDAP authentication support and firewall features in a package designed especially for use in schools. December 2003 saw the release of smoothwall Express 2.0 and a variety of complete written documentation. The alpha version of Express 3 was released in September 2005.
Smoothwall is designed to run effectively on older, cheaper hardware; It will run on any Pentium-class CPU and higher, with a recommended minimum of 128 MB of RAM. Also, there is a 64-bit build for Core 2 systems. Here is a list of features:
- Firewalls:
- Supports LAN, DMZ and wireless networks, as well as external networks
- External connectivity via: Static Ethernet, DHCP Ethernet, PPPoE, PPPoA using various USB and PCI DSL modems
- Port forwards, DMZ pinholes
- output filtering
- timed access
- User-friendly Quality of Service (QoS)
- Traffic statistics, including totals per interface and per IP for weeks and months
- IDS via automatically updated Snort rules
- UPnP support
- List of bad IP addresses to block
- proxies:
- Web proxy for accelerated browsing
- POP3 email proxy with antivirus
- Instant messaging proxy with real-time log viewing
- user interface:
- Responsive web interface that uses AJAX techniques to provide real-time information
- Real-time traffic graphs
- All rules have an optional comment field for ease of use.
- Log viewers for all major subsystems and firewall activity
- Maintenance:
- Backup settings
- Easy one-click application of all pending updates
- Shutdown and restart for UI
- Other:
- network time service
- Develop Smoothwall yourself using self-hosted “Devel” builds
[2] IPCop
IPCop, a stateful firewall built on the Linux netfilter framework that was originally a fork of the SmoothWall Linux firewall, is a Linux distribution that aims to provide an easy-to-manage firewall appliance based on PC hardware. Version 1.4.0 was introduced in 2004, based on the LFS distribution and a 2.4 kernel, and the current stable branch is 2.0.X, released in 2011. IPCop v. 2.0 incorporates some significant improvements over 1.4, including the following:
- Based on Linux kernel 2.6.32
- New hardware support, including Cobalt, SPARC, and PPC platforms
- New installer, which allows you to install to flash or hard drives, and choose interface cards and assign them to particular networks
- Access to all web interface pages is now password protected
- A new user interface, including a new developer page, more pages in the status menu, an updated proxy page, a simplified DHCP server page, and a revised firewall menu
- The inclusion of OpenVPN support for virtual private networks, as a substitute for IPsec
IPCop v. 2.1 includes bug fixes and a number of additional enhancements, including the use of Linux kernel 3.0.41 and the URL filter service. In addition, many plugins are available, such as advanced QoS (traffic shaping), email virus checking, traffic overview, extended interfaces to control proxy, and many more.
[3] Fire IP
IPFire is a free Linux distribution that can act as a router and firewall, and can be maintained through a web interface. The distro offers select servers and can be easily expanded to a SOHO server. It offers enterprise-level network protection with a focus on security, stability, and ease of use. A variety of plugins can be installed to add more functionality to the base system.
IPFire employs a Stateful Packet Inspection (SPI) firewall, which is based on netfilter. During IPFire installation, the network is configured into separate segments. This segmented security scheme means that there is a place for every machine on the network. Each segment represents a group of computers that share a common security level. “Green” represents a safe area. This is where all the regular clients will reside and is usually understood as a wired local area network. Customers on Green can access all other network segments without restrictions. “Red” indicates danger or Internet connection. Nothing from Network can pass through the firewall unless the administrator specifically configures it. “Blue” represents the wireless part of the local network. Since the wireless network has the potential for abuse, it is uniquely identified and specific rules govern clients on it. Clients on this network segment must have explicit permission before they can access the network. “Orange” represents the demilitarized zone (DMZ). All servers that are publicly accessible are separated from the rest of the network here to limit security breaches. Additionally, the firewall can be used to control outgoing Internet access from any segment. This feature gives the network administrator complete control over how their network is configured and secured.
One of the unique features of IPFire is the degree to which it incorporates intrusion detection and prevention. IPFire incorporates Snort, the free Network Intrusion Detection System (NIDS), which analyzes network traffic. If something abnormal happens, it will log the event. IPFire allows you to view these events in the web interface. For automatic prevention, IPFire has a plugin called Guardian that can be optionally installed.
IPFIre comes with many high-performance virtualization front-end drivers and can run on various virtualization platforms, including KVM, VMware, Xen, and others. However, there is always the possibility that the security of the VM container could be circumvented in some way and a hacker could gain access beyond the VPN. Therefore, it is not recommended to use IPFire as a virtual machine in a production level environment.
In addition to these features, IPFire incorporates all the features you’d expect to see in a firewall/router, including a stateful firewall, web proxy, support for Virtual Private Networks (VPNs) using IPSec and OpenVPN, and traffic shaping.
Since IPFire is based on a recent version of the Linux kernel, it supports much of the latest hardware, such as 10Gbit network cards and a variety of out-of-the-box wireless hardware. The minimum system requirements are:
- Intel Pentium I (i586)
- 128MB RAM
- 2 GB of hard disk space
Some plugins have additional requirements to work smoothly. On a system that fits the hardware requirements, IPFire can serve hundreds of clients simultaneously.
[4] coast wall
Shorewall is an open source firewall tool for Linux. Unlike the other firewalls/routers mentioned in this article, Shorewall does not have a graphical user interface. Instead, Shorewall is configured through a bunch of plain text configuration files, although a separate Webmin module is available.
Since the Shorewall is essentially an interface to netfilter and iptables, the usual firewall functionality is available. It is capable of performing network address translation (NAT), port forwarding, logging, routing, traffic shaping, and virtual interfaces. With Shorewall, it’s easy to set up different zones, each with different rules, making it easy to have, for example, relaxed rules on the company intranet while restricting traffic from the Internet.
While Shorewall once used a shell-based build interface, since version 4, it also uses a Perl-based interface. IPv6 address support started with version 4.4.3. The most recent stable version is 4.5.18.
[5] pfSense
pfSense is an open source router/firewall distribution based on FreeBSD as a fork of the m0n0wall project. It is a stateful firewall that incorporates much of the functionality of m0n0wall, such as NAT/port forwarding, VPN, traffic shaping, and captive portal. It also goes beyond m0n0wall by offering many advanced features such as load balancing and failover, the ability to only accept traffic from certain operating systems, easy MAC address spoofing, and VPN using OpenVPN and L2TP protocols. Unlike m0n0wall, where the focus is more on embedded usage, pfSense’s focus is on full PC installation. However, a version intended for embedded use is provided.