Firewalls form a vital part of the network security system, isolating the network from all kinds of intrusions. This article discusses some open source firewalls that the author believes are the best available.
A firewall is the most important part of a network security system. It acts like a wall between internal and external networks. The main purpose of a firewall is to stop intruders like viruses, Trojan attackers and hackers. It keeps monitoring the incoming and outgoing network traffic to block any kind of cracking, snooping, DDO attacks, etc. Firewalls come in two forms — hardware and software firewalls. Today we will discuss software firewalls that are free and open source.
There are dozens of open source firewalls available online to download under open source licences but out of them, I would like to recommend pfSense (FreeBSD) and ClearOS. This article features a few other noteworthy firewalls too.
pfSense is an open source security solution with a custom kernel based on the FreeBSD OS. It is a software distribution that is customised especially to be used as a firewall and router. This open source firewall can be installed on bare metal hardware and be managed entirely through a Web interface. Apart from firewalling and routing platforms, you can expand its functionality by using its many features, without adding bloat and potential security vulnerabilities to the base distribution.
- Firewall – IP/port filtering, limiting connections, Layer 2 capable, scrubbing
- State table – By default, all rules are stateful, and there are multiple configurations available for state handling
- Server load balancing (LB) – Inbuilt LB to distribute load between multiple backend servers
- NAT (network address translation) – Port forwarding, reflection
- HA (high-availability) – Failover to secondary if primary fails
- Multi-WAN (wide area network) – Uses more than one Internet connection
- VPN (virtual private network) – Supports IPsec and OpenVPN
- Reporting – Keeps historical resource utilisation information
- Monitoring – Real-time monitoring
- Dynamic DNS – Multiple DNS clients are included
- DHCP and relay ready
- Security – Stunner, Snort, Tinc, Nmap, arpwatch
- Monitoring – iftop, ntopng, Softflowd, urlsnarf, darkstat, mailreport
- Networking – NetIO, nut, Avahi
- Routing – FRR, OLSRd, routed, OpenBGPD
- Services – Iperf, widentd, syslog-ng, bind, Acme, Imspector, Git, DNS-server
ClearOS is a CentOS based open source firewall that transforms your standard PC into a committed firewall and Internet server/gateway. ClearOS has three editions: ClearOS Business, ClearOS Home and ClearOS Community. The community edition is free for a lifetime but for the other two, you need to purchase a subscription. It is one of the best open source firewalls for small to mid-sized businesses (SMBs). It is a complete network solution and you can extend the functionality by installing the apps such as the bandwidth manager, DHCP server, DMZ, DNS server and more.
- Firewall, networking and security
- Provides several levels of security
- Bandwidth QoS manager
- DMZ, 1-to-1 NAT and port forwarding
- At the protocol level, the peer-to-peer detection system lets you manage file sharing usage
- Intrusion detection and intrusion prevention systems
- Virtual private networking
- Web proxy and content filtering
IPFire is built on top of Netfilter and is an open source distribution. IPFire was designed with both modularity and a high level of flexibility in mind. It can be used as a firewall, proxy server or VPN gateway. The IDS (intrusion detection system) is inbuilt, so attacks are detected and prevented from Day One. And with the help of Guardian (an optional add-on), you can implement automatic prevention.
- Stateful packet inspection (SPI)
- Proxy server with content filter and caching functionality
- Intrusion detection system
- VPN via IPsec and OpenVPN
- DHCP server
- Caching name server
- Time server
- Wake-on-LAN (WOL)
- Dynamic DNS
OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. It includes most of the features available in expensive commercial firewalls, and more. OPNsense offers the rich feature set of commercial offerings with the benefits of open and verifiable sources.
- Traffic shaper
- Captive portal
- Forward caching proxy
- Virtual private network
- High availability and hardware failover
- Intrusion detection and inline prevention
- Built-in reporting and monitoring tools
- Support for plugins
- DNS server and DNS forwarder
- DHCP server and relay
VyOS is an open source network operating system based on Linux and includes multiple applications such as Quagga, ISC DHCPD, OpenVPN, StrongS/WAN and others, under a single management interface. It can be installed on any physical hardware, on a virtual machine or a cloud platform.
- Static and dynamic routing
- Firewall rulesets for IPv4 and IPv6 traffic
- Tunnel interfaces
- PPPoE, GRE, IPIP, SIT, static L2TPv3, VXLAN
- DHCP and DHCPv6 server and relay
- NetFlow and sFlow
- Web proxy and URL filtering
- QoS policies (drop tail, fair queue, and others), traffic redirection
- VRRP, connection table synchronisation
Smoothwall is a Linux distribution designed to be used as an open source firewall. It is configured via a Web based GUI and requires little or no knowledge of Linux to install and use it. Smoothwall Express supports LAN, DMZ, internal/external network firewalling, Web proxy for acceleration, traffic stats, etc. Shutting down or rebooting is possible directly through the Web interface.
- Supports LAN, DMZ and wireless networks
- External connectivity via Static Ethernet, DHCP Ethernet, PPPoE, PPPoA using various USB and PCI DSL modems
- Port forwards, DMZ pin-holes
- Outbound filtering
- Timed access
- Simple to use Quality-of-Service (QoS)
- Traffic stats, including per interface and per IP totals for weeks and months
- IDS via automatically updated Snort rules
- UPnP support
- List of bad IP addresses to block
Untangle NG Firewall takes the complexity out of network security—saving users’ time. This firewall is intended to balance performance and protection, policy and productivity. It’s an ideal fit for a range of organisations seeking a powerful, cost-effective network security solution that can handle any IT challenge — from small, remote offices to diverse school campuses and large, distributed organisations. The NG Firewall has different software modules that can be enabled or disabled as per individual requirements. These software modules are also called apps. They are both free and paid apps. So, for full functionality, you have to buy subscriptions for what you want.
- Virus blocker
- Web monitor
- Spam Blocker Lite
- Ad blocker
- Captive portal
- Intrusion prevention
- Phish blocker
According to me, these are the best firewalls available in the open source world. I have chosen them as they are cost-effective and user friendly. Others may have a different opinion.
The author works at TCS as a systems engineer. His areas of interest are Java development and automation testing. He can be contacted at email@example.com.