Every network needs a well-configured firewall. Open source firewalls have the advantage that they are free and there are verifiably no backdoors. The code is known and is usually maintained regularly. It usually costs a bit more work to install and configure them, but it is sometimes worth taking a look at this technology.
Open source firewalls are installed on existing hardware and connected to the Internet. This allows firewalls to be deployed quickly without putting the security of the network at risk. On the contrary, often open-source firewalls offer a great advantage to less experienced administrators as they are usually easier and faster to set up.
Of course, open-source firewalls do not always have the same feature set as commercial firewalls. However, this is often not necessary. If you need support, you have to rely on the Internet when using open source firewalls. If you want to be sure that you will always receive support, you have to rely on a commercial provider. Special support is only available with solutions that are subject to a fee. Those who rely on an open-source firewall must be aware that they will have to manage it themselves and solve problems themselves, of course with the help of forums on the Internet.
In this article, we also present open-source firewalls such as IPCop or Smoothwall Express, which have not been developed further for some time. These firewalls are suitable for use in test and development environments, but not necessarily for use in production networks. However, since they belong to a complete list because they have been on the market for years, we have mentioned these firewalls as well. M0n0wall has not been developed for years but is one of the most popular open-source databases in the last decade.
- What an open-source firewall must be able to do
- Requirements for operating an open source firewall
What an open-source firewall must be able to do
Of course, open source firewalls must provide adequate protection, just like commercial firewalls. The protection that a firewall must provide is also described by the German Federal Office for Information Security (BSI) in its “IT-Grundschutz”. There must be a packet filter to the external network, which in most cases is the Internet.
In addition, there must be a packet filter to the internal network. There must also be an Application Layer Gateway (ALG) in the firewall. This is where the ports used by applications to access the Internet are managed. The ALG controls the dynamic release of these ports so that protocols such as SMTP, FTP and others can be released more easily and securely.
Another security feature that a firewall should provide is “Stateful Packet Inspection” (SPI). With this security function, data packets that are sent through the firewall are assigned to an already existing session. When analyzing the packets, the data of the current session is included. For this purpose, the properties of outgoing packets are stored and compared with incoming packets.
As a result, the firewall recognizes packets that belong to a session, for example, and allows them, while blocking others that may represent an attack. SPI firewalls are an important security feature in firewalls that are easier to set up than packet filters, especially by less experienced administrators.
Requirements for operating an open source firewall
Anyone running an open source firewall needs a computer on which to install the firewall software. The computer must have at least two network adapters between which the traffic is controlled by the firewall. If there is also to be a DMZ, a third adapter is of course necessary. The computer should have a reasonably modern CPU and enough memory to handle requests from the network or the Internet.
#1 OPNsense – Firewall with VPN functions
OPNsense is a fork of pfSense and further development of m0n0wall. The open source firewall has many features that are otherwise reserved for paid firewalls. Examples include IPSec, VPN, 2FA, QoS, IDPS, Netflow, proxy, web filtering, and other services that can be included. A DHCP and DNS server is also available, as well as the possibility to build a VPN with OpenVPN. FreeBSD 11.x is used as the base operating system, more precisely the hardened variant (HardenedBSD). The packet filter “pf” is used to secure the data packets. The firewall is thus ideally suited for providing home office functions in small companies so that users can dial in from home.
#2 Pfsense – Firewall based on FreeBSD
Pfsense is also based on FreeBSD. OPNSense was developed on the basis of Pfsense. The firewall is, like OPNSense, ready for use in a few minutes. Pfsense also uses the packet filter “pf”. It is managed via a web interface. The firewall is also available as an appliance with matching hardware.
#3 IPCop Firewall – Firewall with proxy function
The IPCop Firewall is characterized by simple installation and administration. The open source firewall is already older. The firewall is no longer under active development, but it still provides basic protection for small networks. However, its use is only recommended if there is no time to set up a more modern firewall. IPCop provides Squid-based proxy servers in parallel to the firewall functions after installation. The interface allows the configuration of all necessary settings. Administrators with Linux knowledge can also access the shell.
#4 IPFire – Firewall, Proxy, and VPN
IPFire can be used as a firewall, but also as a proxy and VPN gateway. In addition, there is an intrusion detection system (IDS). The system is ready to use in a few minutes.
#5 Smoothwall Express
Smoothwall Express is also an open source firewall which, like IPCop, is very old and is currently no longer being developed. The use is still possible, but less recommended for productive use. For test and development environments, or for temporary use, it can still be useful to rely on the firewall.
#6 Ufw – Uncomplicated Firewall in Ubuntu
In Linux, firewalls can be operated with the packet filter “iptables”. Ubuntu offers with UFW an extension, which helps to configure the rules more simply. A graphical user interface is also available. The installation is done in Ubuntu with “sudo apt-get install ufw gufw”.
#7 ConfigServer Security & Firewall (csf)
ConfigServer Security & Firewall (CSF) is an SPI firewall for Linux that is also quickly ready for use.