Shulou(Shulou.com)06/02 Report--

Today, open source firewalls are numerous. This article will cover ten of the most practical open source firewalls for enterprise needs

1. Iptables

Iptables/Netfilter is the most popular command line for firewall based applications. It is the first line of defense for Linux server security. Many system administrators use it to fine-tune servers. Its role is to filter packets in the network stack in the kernel. Its features include: listing the contents of the packet filtering rule set; fast execution, because it only checks the header of the packet; administrators can add, modify, and delete rules in the packet filtering rule set as needed; and support backup and recovery with files.

2. IPCop Firewall

IPCop's design interface is very friendly and easy to manage. It is very useful for small businesses and local PCs. Administrators can configure an older PC as a secure ××× to provide a secure Internet environment. This firewall can also retain commonly used information, which can provide a better Web browsing experience for its users. Its color-coded Web interface enables administrators to monitor CPU, memory, disk, and network throughput performance, and supports multiple languages, providing very secure and easy to implement upgrades and add-on patches

This distribution is completely independent of IPFire, which also uses color coding to represent different connections.

Green for LAN, red for Internet, orange code DMZ, blue for wireless connectivity.

IPCop was a fork of Smoothwall and then taken over by the IPFire team, but the firewall is rarely updated, with the most recent update released in February 2015.

Installation is relatively simple, but there are wildcard issues that some novice users may find confusing

However, taking over the default option does not cause any problems unless you have a very specific network configuration.

The main advantage of IPCop is that the installation image is very small, about 60MB, and can be copied to DVD or flash drives.

IPCop's web interface feels clunky, and our tests show that it's not just psychological, it's slow.

However, in addition to the real-time graphs provided by Smoothwall, IPCop also provides information about LAN settings

More information about how the firewall itself works, including a list of currently open connections.

The firewall also provides a caching proxy that lets you cache frequently visited pages locally.

IPCop is a great tool as a firewall and provides a lot of information about network traffic

But it may not be the best-looking release, it just does its job.

Evaluation: Although this firewall looks bad, it can effectively protect your network

3.Shorewall

Shorewall builds on Netfilter built into the Linux kernel and supports IPV6. Features include: use Netfilter connection tracking tool for state packet filtering, support for multiple routers, firewalls and gateway applications, centralized firewall management, GUI interface with Webmin control panel, multi-ISP support, support for disguise and port forwarding, support for ×××

4. OPNsense

OPNsense is an easy-to-use open-source firewall based on FreeBSD 10.1.

Obviously, the name of the project comes from "open" and "meaning," which means "open source makes sense." The OPNsense project started as an offshoot of the more mature firewall pfSense

The team claims they did this partly because of the license type of pfSense and partly because they believed they could also create a more secure firewall.

The firewall now shares only 10% of its code with the original pfSense project. OPNsense provides weekly security updates and rapid response to threats

It contains many advanced features such as forward caching proxies and *** detection, and it also supports the use of Open×××.

OPNsense contains a very rich GUI, written in Phalcon PHP, which is very attractive

In addition to being a better interface than pfSense, OPNsense was created partly because the team felt that graphical interfaces should not have root access.

This may pose security problems. The GUI provides a simple search bar as well as a new system health module, which is interactive

Provide visual feedback as you analyze the network. You can also export data in CSV format for further analysis.

The firewall uses an inline *** defense system, a powerful deep packet inspection

OPNsense detects individual packets or links and blocks them if necessary. OPNsense also offers LibreSSL over OpenSSL.

Reviews: Excellent offshoot of the pfSense project, offering plenty of features

5. Vuurmuur

Vuurmuur is another powerful Linux firewall manager that can build and manage iptables rules for servers or networks. Also, Vuurmuur is easy to manage and does not require knowledge of iptables to use. Features include: IPV6 support, communications ×××, advanced monitoring features, real-time monitoring of connections and bandwidth usage, easy configuration via NAT, anti-fraud features

6. pfSense

pfSense is another open source and reliable firewall for FreeBSD servers that builds on the concept of stateful packet filtering and has many features only available on expensive commercial firewalls. It is easy to configure and upgrade via a Web interface, deployable as a perimeter firewall, DHCP and DNS server, deployable as a wireless access point and ××× terminal, communicating ×××, timely access to server real-time information, inbound and outbound Load Balancer

Like OPNsense, pfSense is based on FreeBSD and is designed to be used as a firewall and router. pfSense has a loyal following and updates are released quarterly. This firewall distribution runs on a variety of hardware, but currently only supports x86 architecture. Its website provides convenient hardware guides for you to choose compatible devices

The installation process is done from the command line, but it is very simple, you can choose to boot from CD or USB drive.

The setup assistant will ask you to assign interfaces during installation, rather than after launching into the web interface. You can use the auto-detect feature to determine which network card.

The firewall has a small number of built-in features, such as multi-WAN, dynamic DNS, hardware failover, and different authentication methods. Unlike IPFire, pfSense has a forced portal feature where all DNS queries resolve to a single IP address, such as a login page for a public WiFI hotspot.

The distribution's interface is simple and easy to use, but it lacks non-firewall-related extras. If you only want a simple firewall, there's nothing wrong with choosing pfSense, but if you want more features, you might want to consider other firewalls.

Review: Most complete firewall distribution, but it doesn't come with any non-firewall extras

7. IPFire

IPFire is an open source firewall for small businesses, home offices, etc. It has strong modularity and flexibility. The IPFire community is also concerned with security and has developed IPFire as a stateful packet-inspection firewall. Features include: Deployable as firewall, proxy server or ××× gateway, content filtering, built-in *** detection system, support wiki, forum, KVM, VmWare, Xen and other virtual machine management programs supporting virtualization environment

IPFire is a Linux firewall distribution focused on user-friendliness and ease of setup, and it supports many useful features such as *** detection.

IPFire uses strict security practices, utilizing SPI(Stateful Packet Inspection) firewalls built into netfilter.

IPFire is designed for firewall and network novices and can be set up in minutes. The installation process will allow you to configure the network into different security segments, each color-coded. The green segment represents a safe zone for all normal clients connected to the local wired network, and the red segment represents the Internet.

No traffic can move from red to other segments unless you have specific configurations in your firewall. The default setting is that one device has two network cards, with only green and red segments. But during setup, you can also configure blue segments for wireless connections and orange for DMZ.

Once setup is complete, you can configure additional options and add-ons via the intuitive Web interface.

IPFire's ISO image file is only 160MB in size, and after burning to DVD, it's easy to load into your computer's memory and start running from there. Alternatively, you can download a flash image to install on a router, or even an ARM device image, such as a Raspberry Pi.

The IPFire project is in the midst of a "forced portal" crowdfunding campaign, which is a good option if you want to display a login page to people connected to your WiFi network. It also prevents malicious devices from connecting automatically.

Reviews: Lightweight, easy-to-use firewall with some ultra-advanced features

8. SmoothWall and SmoothWall Express

SmoothWall is also an open source firewall with an easy-to-configure Web interface called WAM(WEB Access Management). The freely distributed version of SmoothWall is called SmoothWall Express. Features include: LAN support, DMZ, wireless networking, real-time content filtering, HTTPS filtering, proxy server support, management of traffic statistics per IP, per interface and access, backup and restore capabilities, etc.

Smoothwall Express is probably the best-known firewall distribution.

Smoothwall Express installation is text-based, but you don't need to be familiar with Linux consoles, everything is fairly intuitive. You may prefer to download or print the installation guide to guide you through the setup process. To do this, you need to create a my.smoothwall profile.

It offers three installation options: Standard, Developer, and Express. The developer option is suitable for those who want to write Smoothwall projects. Express is a streamlined version that ensures maximum compatibility with older hardware.

Unless you have this very specific network configuration, you can usually accept the default option.

The web-based control panel is simple and easy to understand, and Smoothwall Express doesn't offer a lot of extra features, but it allows you to set up a separate account to control the main connection, which is especially useful if you're using dial-up.

One of the advantages of Smoothwall Express is that it provides simplicity when running internal DNS-adding new hostnames takes just seconds. Assigning static IPs and enabling remote access also takes just a few mouse clicks.

The only problem we noticed in our tests was that assigning a static DHCP lease assignment requires you to click Add and then Save, which is not particularly obvious, but you have to perform the second step.

Reviews: This is a powerful firewall that is easy to use, but it lacks some of the more advanced features.

9. Endian

Endian is another firewall based on the stateful packet inspection concept that administrators can deploy as routers, proxies, and gateways. It evolved from IPCop Firewall with the following features: bidirectional firewall, Snort*** defense, Web server security through HTTP and FTP proxy servers, anti-virus and URL blacklists, IPSec support, real-time network traffic logs

10.ConfigServer Security Firewall

This is a cross-platform multipurpose firewall and is also based on the concept of stateful packet inspection. It supports virtually all virtualization environments such as Virtuozzo, OpenVZ, VMware, XEN, KVM, Virtualbox, etc. Its characteristics include: The login invalidation daemon can check sensitive servers for login failures, such as it can check ssh, SMTP, Exim, Imap, Pure & ProFTP, vsftpd, Subosin, and mod_security failures; it can configure email alerts to tell if an exception has occurred, or detect any kind of *** on the server; it can easily interact with popular web hosting control panels (cPanel, DirectAdmin, Webmin); alerts users of excessive resource use and suspicious processes via email; advanced *** detection system; protects linux servers with Syn Flood and ping of death; can check for exploits, etc.

final summary

Choosing the right firewall largely depends on your specific needs, but you should deploy firewall protection anyway, after all, the Internet is full of dangers. This means that, in addition to basic protection, firewalls should ideally provide additional features to enhance protection.

For us, it's a waste if a technology doesn't fully function. That's why we prefer virtualization, where firewalls run as virtual servers.

While ClearOS is still the most powerful firewall, virtualization is not as easy as other firewalls such as IPFire. And IPFire can be easily customized with its own add-on service, Pakfire, which means it beats ClearOS in this respect.

However, Smoothwall Express is also great, it's the only firewall that continues to run after installation without a lot of prompts and distractions.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.