If you Need a Firewall...

The flexibility of Linux and other open source software is clearly demonstrated by projects that use the available software to build specialist distributions. Among them, Linux-based firewalls have attracted much attention by the developers. Many of these projects evolved into successful businesses, while others continue as community projects. As a general rule, these firewalls are capable of filtering packets, performing network address translation, and blocking unwanted traffic. Some of them go beyond these basic functions and offer more advanced features, such as secure connections using the IPSec protocol, intrusion detection, and even mail filtering and virus protection. Many of the products offer Webmin or Webmin-like web-based interface for configuring the firewall over the network. Prices of these products range from free (or free for non-commercial use) to thousands of dollars. Below is a quick tour of what is available on the market today, in alphabetical order. One interesting observation: 9 of the 11 firewall products originate in Europe.

Astaro Security Linux. The German-based Astaro has been developing security and firewall solutions since January 2000. Now in version 5, Astaro Security Linux offers not only a firewall and VPN, but also virus scanning for all inbound and outbound email, spam protection, intrusion detection, and an excellent web-based interface for configuring services. The product is free for home use, but any commercial deployment requires a license fee starting at $390.

ClarkConnect Firewall/VPN. The Red Hat-based ClarkConnect Broadband Gateway project has been around for several years, but a dedicated Firewall/VPN edition has only been introduced to the market in April this year. The pages detailing the product features are still under construction, but if the Canadian company's main product (which does include firewall features) is anything to go by, it is worth a closer look, especially by users familiar with Red Hat Linux or Fedora Core.

Devil-Linux. Devil-Linux is a run-from-CD firewall, a community project developed by Heiko Zuerker. According to the author, the main advantage of a CD-based firewall is that the content on the CD cannot be modified by an intruder - a simple reboot will restore the firewall to its original state. Also, a CD-based firewall requires no installation, consumes less power, is immune to hard disk failures, and is simple to get up and running in a very short time. Devil-Linux does not offer any graphical configuration utilities, but a console-mode setup wizard is provided for setting up the firewall. Configuration files can be saved to a floppy disk, hard disk or a USB storage device. Devil-Linux is released under the GPL.

Euronode Firewall. Euronode Firewall is a new community project, a Debian-based firewall product sponsored by a French-based GNU/Linux services company of the same name. Two firewall products are available - Euronode Simple Firewall and Euronode Advanced Firewall; the latter includes a mail server (Postfix), an antivirus program (ClamAV) and a spam control program (SpamAssassin), in addition to standard firewalling functions. Both products come with Webmin. Euronode does not include any proprietary software; it is built from packages available in standard Debian, but stripped to a minimum that's required for a functional firewall.

Gibraltar Firewall. The Debian-based Gibraltar Firewall is a commercial product of Austria's eSYS Informationssysteme. In development since July 2000, it finally reached a stable state in November 2003 when Gibraltar 1.0 was released. Like Devil-Linux, Gibraltar also runs entirely from a CD, with configuration files optionally stored on hard disk, floppy disk or a USB storage device. Two editions of the product are available - the only differences between the free edition and the $999 commercial edition is a web-based configuration utility called GibADMIN and formal support.

IPCop Firewall. IPCop Firewall, originally started as a fork of SmoothWall, is a community project released under the GPL. It is geared towards home and small office use. Although the development tends to be slow (there has been no new release for over a year), IPCop has received surprisingly good reviews by the media, even when compared with some of the expensive commercial firewalls on this list. IPCop provides a web-based interface to configure the firewall. One major advantage of IPCop over similar community projects is excellent documentation available in many languages.

m0n0wall. The Swiss-based m0n0wall project is the odd man on this list because it is based on FreeBSD, rather than Linux. It comes with a long list of features, including a web-based configuration interface with SSH support (webGUI - a nicely designed application written in PHP, with configuration files stored in XML format), wireless support, IPSec VPN tunnels, DHCP client, DynDNS client, and configuration backup/restore, just to name a few. Version 1.0, based on FreeBSD 4.9, was released in February 2004 under the BSD license.

redWall Firewall. Also from Switzerland comes redWall Firewall, a community project hosted at SourceForge and based on Red Hat Linux 9. It belongs to the category of live CDs. Besides the usual firewall and VPN features, the product comes with plenty of extras, including intrusion detection, web caching, mail relaying, spam filtering and virus scanning. All configuration is done via Webmin's graphical interface and the resulting configuration files can be stored on a floppy disk, hard disk or USB storage media, or they can be sent by email. redWall Firewall is a free product released under the GPL.

Securepoint Firewall & VPN Server. Securepoint is a well-established German Linux company specializing in firewall products and solutions. Their Securepoint Firewall is based on Red Hat Linux and it includes the usual range of intrusion protection, virus scanning, content filtering and other features. The product is free for home use, but any business use requires hefty licensing fees ranging between €799 and €4,995.

Sentry Firewall CD. Sentry Firewall CD is another CD-based firewall with intrusion detection, based on Slackware Linux. Its kernel is heavily patched with various security enhancements, including OpenWall, FreeS/WAN, Ebtables bridge + netfilter patch, Linux-WLAN modules, and MPPE (Microsoft Point-to-Point Encryption). In the true Slackware tradition, all configuration is done by editing text files. Sentry Firewall CD has been in development for over 3 years and is released under the GPL.

SmoothWall. The UK-based SmoothWall firewall is probably the best-known firewall on the market. Although the infamous Richard Morrell, the man who founded SmoothWall Ltd., is no longer with the company, the development continues in two directions: the free SmoothWall Express released under the GPL, and the £180 SmoothWall Corporate Server available under a commercial license. Compared to most other products on this list, SmoothWall Express limits itself to be a firewall only, but it does include a graphical interface for easy setup. SmoothWall Express continues to receive good reviews in the media, especially after the release of version 2.0 in January 2004.

Product	Origin	Based on	Price	GUI	Licence
Astaro	Germany	Red Hat	$390, free for home use	yes, web-based	Commercial
ClarkConnect	Canada	Red Hat	Free	yes, web-based	GPL
Devil-Linux	Germany	Linux From Scratch	Free	no	GPL
Euronode	France	Debian	Free	yes, Webmin	GPL
Gibraltar	Austria	Debian	$0 - $999 depending on features	yes, GibADMIN	Commercial
IPCop	USA	SmoothWall	Free	yes, web-based	GPL
m0n0wall	Switzerland	FreeBSD	Free	yes, webGUI, written in PHP	BSD
redWall	Switzerland	Red Hat	Free	yes, Webmin	GPL
Securepoint	Germany	Red Hat	€799+, free for home use	yes, web-based	Commercial
Sentry	USA	Slackware	Free	no	GPL
SmoothWall	UK	--	£0 - £180	yes, web-based	GPL

---

(Log in to post comments)