Problem solve Get help with specific problems with your technologies, process and projects.

Linux open source firewall software options

Ken Milberg overviews open source firewall software options for Linux that leverage netfilter/iptables. FireHol, Shorewall, Untangle, and FireStarter are examined. Ken advises carefully considering these options, demoing them, and determining which option is best for your IT setting.

Most articles focused on Linux open source firewalls and/or routers in a networked environment tend to discuss netfilter/iptables. Rather than discussing the configuration or deployment of netfilter/iptables, here we'll examine open source firewall software that leverages the extraordinary abilities of netfilter/iptables.

First, let's examine some of the open source tools which are available to you:

FireHol -- This software harnesses the power of netfilter/iptables, essentially turning Linux into a turnkey firewall solution. It is appropriate for complex scenarios that previously may have been appropriate only for enterprise solutions such as a Cisco PIX box. It's important to understand that FireHol is not just a script, it is a language that produces firewall rules. Some of the goals of the project include simplification, ease-of-use, flexibility and security. The beauty behind FireHol is that only one file is required for the entire system, and no compilations are necessary. Further, the configuration files are easy to understand. In fact, you can create firewalls in a matter of minutes. It took me less than an hour to download the software and get a firewall working in my environment.

Maybe you're wondering: What about security? FireHol explicitly will allow only the traffic that you desire to penetrate your networks. It also produces rules in both directions of the firewall. Flexibility is provided through the product by allowing end-users and system administrators to use the system. Furthermore, the configuration files are written in bash, which is as convenient as you can get.

FireStarter -- If you like a GUI, you'll love this one. This product contains a nice graphical interface that allows you to configure all kinds of settings. The goal of the program is to make firewall deployment, configuration and administration simple, while being complex enough to function as a corporate firewall. Among its features, is it boasts a firewall event monitor.

Click image for larger version

Some of its other features include

  • Allows defining both inbound and outbound access policies
  • Allows enabling Internet connection sharing, using DHCP
  • Allows use of open or stealth ports
  • Has port forwarding ability and options to whitelist or blacklist trafic
  • Includes advanced Linux kernel tuning (supporting 2.4 and 2.6)
  • Supports tuning ICMP parameters with the intent of stopping Denial of Service (DoS) attacks
  • Has network traffic monitoring, including traffic routed through the firewall.

You can also install the software on a desktop, a server or as a dedicated gateway on the network, functioning as a dedicated firewall.

Shorewall -- This open source firewall tool configures kernel rules which either allow or disallow traffic. Similar to FireHol, it does not have a GUI. Instead, it is run with plain-text based files. The product is primarily used on networks, as its strength is its ability to work with zones. Starting with version 4, Shorewall uses a Perl-based compiler front-end. It can be used either as a dedicated firewall system, a multi-function gateway/router or on a standalone GNU/Linux system. It's important to note that it does not use Netfilter's ipchains compatibility mode, which means that it can take full advantage of Netfilter's connection state tracking capabilities to create a stateful firewall. While it is not as simple a product as FireStarter, it can handle complex and fast changing network environments much easier than using generic Linux tools. Both RPM and Debian packages are available – though you will need to make certain you download the correct RPM's for the Linux distribution you are using.

Untangle -- Trumpeted as a commercial grade open source alternative to SonicWALL, the Untangle Gateway is actually much more than just a simple firewall. It bundles lists of applications -- fourteen in all -- that even experienced system administrators would have problems with installing and managing. These applications include: ClamAV, Snort, SpamAssassin, OpenVPN and Iptables.

Untangle was listed in InfoWorld in 2008 as one of the 10 best open-source security products of 2008. Among other features it protects against viruses, spyware, phishing and spam. I especially like that you can pick and choose the apps you want to use. For example, if you already have a product for virus protection, you can choose not to use Untangle's product. The same holds true for VPN or any of the number of other programs which are bundled with the product. Among other features, it also provides an awesome GUI configuration tool for Iptables. The tool is very intuitive and allows you to configure your firewall rules. There are two downloadable versions: one that loads on Windows, and the other, the dedicated server, that comes integrated with Linux.

Currently, there are over 10,000 businesses and 500,000 people using Untangle.

I will stress that you should carefully review the features you are looking for prior to deploying any of these firewalls. At the same time, think about whether ease-of-use is important in terms of a GUI, as some of these products don't have a GUI. Furthermore, some of the products have vendor support while others do not. Like anything else, weigh the pros and cons of each product and don't be afraid to demo them yourself. While you won't go wrong with any of these products, make sure you choose the one that works best for your environment.

ABOUT THE AUTHOR: Ken Milberg is a systems consultant with two decades of experience working with Unix and Linux systems. He is a Ask the Experts advisor and columnist.

Dig Deeper on Linux servers

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.