5 Open Source Firewalls You Should Know About
Despite the fact that pfSense and m0n0wall appear to receive the lion’s share of consideration in the open source firewall/router market, with pfSense edging out m0n0wall in recent years, there are several excellent firewall/router distributions obtainable under both Linux and BSD. All of these projects build on their respective OSes native firewalls. Linux, for instance, incorporates netfilter and iptables into its kernel. OpenBSD, on the other hand, uses PF (Packet Filter), which replaced IPFilter as FreeBSD’s default firewall in 2001. The following is a (non-exhaustive) list of a few of the firewall/router distributions available for Linux and BSD, along with some of their capabilities.
The Smoothwall Open Source Project was set up in 2000 in order to develop and maintain Smoothwall Express – a free firewall that includes its own security-hardened GNU/Linux operating system and an easy-to-use web interface. SmoothWall Server Edition was the initial product from SmoothWall Ltd., launched on 11-11-2001. It was essentially SmoothWall GPL 0.9.9 with support provided from the company. SmoothWall Corporate Server 1.0 was released on 12-17-2001, a closed source fork of SmoothWall GPL 0.9.9SE. Corporate Server included additional features such as SCSI support, along with the capability to increase functionality by way of add-on modules. These modules included SmoothGuard (content filtering proxy), SmoothZone (multiple DMZ) and SmoothTunnel (advanced VPN features). Further modules released over time included modules for traffic shaping, anti-virus and anti-spam.
A variation of Corporate Server called SmoothWall Corporate Guardian was released, integrating a fork of DansGuardian known as SmoothGuardian. School Guardian was created as a variant of Corporate Guardian, adding Active Directory/LDAP authentication support and firewall features in a package designed especially for use in schools. December 2003 saw the release of smoothwall Express 2.0 and an array of comprehensive written documentation. The alpha version of Express 3 was released in September 2005.
Smoothwall is designed to run effectively on older, cheaper hardware; it will operate on any Pentium class CPU and above, with a recommended minimum of 128 MB RAM. Additionally there is a 64-bit build for Core 2 systems. Here is a list of features:
- Supports LAN, DMZ, and Wireless networks, plus external
- External connectivity via: Static Ethernet, DHCP Ethernet, PPPoE, PPPoA using various USB and PCI DSL modems
- Port forwards, DMZ pin-holes
- Outbound filtering
- Timed access
- Simple to use Quality-of-Service (QoS)
- Traffic stats, including per interface and per IP totals for weeks and months
- IDS via automatically updated Snort rules
- UPnP support
- List of bad IP addressed to block
- Web proxy for accelerated browsing
- POP3 e-mail proxy with Anti-Virus
- IM proxy with real time log-viewing
- Responsive web interface using AJAX techniques to provide real time information
- Real time traffic graphs
- All rules have an optional Comment field for ease of use
- Log viewers for all major sub-systems and firewall activity
- Backup config
- Easy single-click application of all pending updates
- Shutdown and reboot for UI
- Time Service for network
- Develop Smoothwall yourself using the self-hosting “Devel” builds
A stateful firewall created on the Linux netfilter framework that was originally a fork of the SmoothWall Linux firewall, IPCop is a Linux distribution which aims to provide a simple-to-manage firewall appliance based on PC hardware. Version 1.4.0 was introduced in 2004, based on the LFS distribution and a 2.4 kernel, and the current stable branch is 2.0.X, released in 2011. IPCop v. 2.0 incorporates some significant improvements over 1.4, including the following:
- Based on Linux kernel 2.6.32
- New hardware support, including Cobalt, SPARC and PPC platforms
- New installer, which allows you to install to flash or hard drives, and to choose interface cards and assign them to particular networks
- Access to all web interface pages is now password protected
- A new user interface, including a new scheduler page, more pages on the Status Menu, an updated proxy page, a simplified DHCP server page, and an overhauled firewall menu
- The inclusion of OpenVPN support for virtual private networks, as a substitute for IPsec
IPCop v. 2.1 includes bugfixes and a number of additional improvements, including being using the Linux kernel 3.0.41 and URL filter service. Additionally, there are many add-ons obtainable, such as advanced QoS (traffic shaping), e-mail virus checking, traffic overview, extended interfaces for controlling the proxy, and many more.
IPFire is a free Linux distribution which can act as a router and firewall, and can be maintained via a web interface. The distribution offers selected sever daemons and can easily be expanded to a SOHO server. It offers corporate-level network protection and focuses on security, stability and ease of use. A variety off add-ons can be installed to add more features to the base system.
IPFire employs a Stateful Packet Inspection (SPI) firewall, which is built on top of netfilter. During the installation of IPFire, the network is configured into separate segments. This segmented security scheme means there is a place for each machine in the network. Each segment represents a group of computers that share a common security level. “Green” represents a safe area. This is where all regular clients will reside, and is usually comprised of a wired local network. Clients on Green can access all other network segments without restriction. “Red” indicates danger or the connection to the Internet. Nothing from Red is permitted to pass through the firewall unless specifically configured by the administrator. “Blue” represents the wireless part of the local network. Since the wireless network has the potential for abuse, it is uniquely identified and specific rules govern clients on it. Clients on this network segment must be explicitly allowed before they may access the network. “Orange” represents the demilitarized zone (DMZ). Any servers which are publicly accessible are separated from the rest of the network here to limit security breaches. Additionally, the firewall can be used to control outbound internet access from any segment. This feature gives the network administrator complete control over how their network is configured and secured.
One of the unique features of IPFire is the degree to which it incorporates intrusion detection and intrusion prevention. IPFire incorporates Snort, the free Network Intrusion Detection System (NIDS), which analyzes network traffic. If something abnormal happens, it will log the event. IPFire allows you to see these events in the web interface. For automatic prevention, IPFire has an add-on called Guardian which can be installed optionally.
IPFIre brings many front-end drivers for high-performance virtualization and can be run on several virtualization platforms, including KVM, VMware, Xen and others. However, there is always the possibility that the VM container security can be bypassed in some way and a hacker can gain access beyond the VPN. Therefore, it is not suggested to use IPFire as a virtual machine in a production-level environment.
In addition to these features, IPFire incorporates all the functions you expect to see in a firewall/router, including a stateful firewall, a web proxy, support for virtual private networks (VPNs) using IPSec and OpenVPN, and traffic shaping.
Since IPFire is based on a recent version of the Linux kernel, it supports much of the latest hardware such as 10 Gbit network cards and a variety of wireless hardware out of the box. Minimum system requirements are:
- Intel Pentium I (i586)
- 128 MB RAM
- 2 GB hard drive space
Some add-ons have extra requirements to perform smoothly. On a system that fits the hardware requirements, IPFire is able to serve hundreds of clients simultaneously.
Shorewall is an open source firewall tool for Linux. Unlike the other firewall/routers mentioned in this article, Shorewall does not have a graphical user interface. Instead, Shorewall is configured through a group of plain-text configuration files, although a Webmin module is available separately.
Since Shorewall is essentially a frontend to netfilter and iptables, usual firewall functionality is available. It is able to do Network Address Translation (NAT), port forwarding, logging, routing, traffic shaping and virtual interfaces. With Shorewall, it is easy to set up different zones, each with different rules, making it easy to have, for example, relaxed rules on the company intranet while clamping down on traffic coming for the Internet.
While Shorewall once used a shell-based compiler frontend, since version 4, it also uses a Perl-based frontend. IPv6 address support started with version 4.4.3. THe most recent stable version is 4.5.18.
pfSense is an open source firewall/router distribution based on FreeBSD as a fork on the m0n0wall project. It is a stateful firewall that incorporates much of the functionality of m0n0wall, such as NAT/port forwarding, VPNs, traffic shaping and captive portal. It also goes beyond m0n0wall, offering many advanced features, such as load balancing and failover, the capability of only accepting traffic from certain operating systems, easy MAC address spoofing, and VPN using the OpenVPN and L2TP protocols. Unlike m0n0wall, in which the focus is more on embedded use, the focus of pfSense is on full PC installation. Nevertheless, a version is provided targeted for embedded use.