5 Best Open Source Firewalls

The Internet is a big, bad scary place, and so we must protect our small business networks with good stout firewalls. Firewalls can range from a simple gadget that keeps bad data packets out of our networks, to sophisticated multi-function gateways. Let's take a look at a sampling of the many fine open source firewalls we have to choose from.

Open Source Firewalls

Open source operating systems like Linux, FreeBSD, and OpenBSD have tons of built-in networking and security features, so they are natural platforms for building security products. And most commercial firewalls are built on one of them. There are multitudes of choices -- from tiny embedded systems for broadband wireless routers to giant enterprise firewalls with all the bells and whistles -- from free community support to paid support.

If you're not an Internet service provider you don't need the big fancy expensive Cisco or Juniper gear; look for open source-based products because they are proven, and you'll save money.

Endian Firewall

The Endian firewall offers a range of products, from a free community edition to hardware appliances for various workloads. The Endian Mini is a nice deal at $995, suggested for 5-25 users, though it could certainly support more for basic tasks like email, Web surfing, and VPNs. This firewall comes in a nice little compact power-saving unit with five Gigabit Ethernet ports and a USB port, 512MB RAM, 512MB to 4GB storage, all powered by an ARM system-on-a-chip (ARM SOC). The ARM SOC-based systems are perfect for this sort of use, because they don't need much power, they're compact, and they can handle good-sized workloads. You can choose from several other hardware appliances for bigger workloads.

Figure 1: Endian system load graph. Image courtesy Wikipedia and Tom H. Lautenbacher.

The Endian software is a complete Linux distribution hardened for security work: firewall, intrusion prevention and detection, anti-virus and anti-spam, VPN and secure remote access, and high availability. There is a free community version and a commercial version. The commercial version offers more features such as management tools, support for commercial add-ons like Sophos anti-virus and Commtouch anti-spam, virtual machine support, and various support options.

IPCop: The Bad Packets Stop Here

A reliable old favorite that has been around for years, IPCop is a free download that you install on your own hardware. It is well-maintained and has a good browser-based graphical administration interface. IPCop doesn't try to pack in every conceivable bit of networking functionality, rather it sticks to firewall and Internet gateway duties: packet filtering, proxy, traffic shaping, VPN and secure remote access, user authentication, name services, and time server.

It has a color-coded mechanism for creating and managing a basic set of subnets: Green is your internal trusted network, Red is the Internet, Orange is your DMZ for any Internet-facing servers, and Blue is wireless subnet, or a second trusted wired subnet.

IPCop comes with a batch of good network and system monitoring and performance graphs that let you quickly see if there are any trouble spots. It is free of cost and comes with community support only.

OpenWRT For Little Wireless Routers

Back in the early 2000s, Linksys released the WRT54G broadband router/firewall/switch/wireless access point. A nifty little gadget with five wired Ethernet ports, Wi-Fi, and management software, it was billed as easy to use even for novices. Of course this was a little misleading as you still need some networking knowledge even for a pointy-clicky interface. But it was (and is) a great little gadget that's perfect for small networks.

The original Linksys embedded firmware was limited and did not fully exploit the capabilities of the hardware. Fortunately it was Linux-based software, so eager hackers downloaded the source code and improved on it. This spawned a number of excellent third-party firmware replacements, such as Sveasoft, FreeWRT, DD-WRT, Tomato, and OpenWRT. Replacing the original vendor's firmware with one of these turned a useful $70 router into a $500 routing powerhouse.

You can now choose from dozens of these little routers, and they're all great little gadgets. You can use them as your sole firewall and router for small networks, or as secure wireless access points. You can even for setting up wireless hotspots. In those early days flashing new firmware was risky and for gurus only, because a mistake could make the router unbootable.

This is known as bricking, because the router was about as useful as a brick if this happened. These days you still have to be careful, but it's much safer and easier now. You can flash new firmware via your router's Web interface, so the primary risk is a power interruption. It takes maybe five minutes to flash the new firmware, so if you can keep the lights on that long you're golden.

There are also a number of vendors that have seen the light and, rather than maintaining their own firmware, they install DD-WRT or OpenWRT. That means you can buy it all prefab and ready to go to work. I prefer OpenWRT because it has a package manager. This is a huge benefit for one of these little firmwares; many of them do not let you install and remove software easily, but you must rebuild and re-flash the whole image.

Figure 2: Linksys WRT54G. Image courtesy Wikipedia and Tharkhold.

Before you run out and buy, first visit OpenWRT.org and consult the Supported Devices database. There is a hard way and there is an easy way -- the easy way is to buy something that is well-supported. OpenWRT is free of cost, with no commercial support options.

Vyatta for the Small to Giant Enterprise

Vyatta offers a range of networking products, from the free community edition to hardware appliances to cloud and virtualization products. If you just want a nice robust on-premises firewall, then take a look at the free community download that you can install on your own hardware, or one of the hardware appliances all pre-loaded and ready to go to work.

The Vyatta 600 costs around $1,000. It's a complete package for small to medium-sized businesses that performs every networking task you can think of. It's a good bargain even if you use only a small subset of its giant feature set.

It includes Gigabit Ethernet, fast Compact Flash storage, USB ports, and quiet, low-power fan-less operation. The Vyatta software is a first-rate network operating system that serves up a giant batch of useful features such as advanced firewall, network monitoring and diagnostics, VPN, user authentication, high availability, Web filtering, and lots more. This is one of the best values in advanced firewall appliances.

Untangle Gateway

The Untangle Internet gateway is another excellent multi-function firewall that can handle a wide range of duties: user authentication (including Active Directory integration) VPN, captive portal, Web filtering, anti-virus, anti-spam, intrusion prevention, ad blocker, reporting, and higher-end features such as WAN balancing and automatic failover.

The base package is free, and you can choose from a range of add-ons that will cost you some clams. Untangle is very flexible with multiple software bundles to choose from -- from free to all the bells and whistles, including paid support. The most expensive bundle costs $540/year. The bundles are the best deals; you can also purchase individual applications, but it's like cable TV -- when you want more than two or three the bundles are a better buy, even though they include stuff you don't need.

Untangle, like Vyatta and Endian, also sells nice hardware appliances. And, like the others, the lowest-cost appliance costs slightly less than a thousand dollars. It is rated for 1-10 users but, as always, this is conservative and can support more.

There is a lot of competition in the open source firewall arena, so try a little dickering to see if you can strike a better deal. You have a lot of great products to choose from, so the differentiator could be who is willing to work the hardest to keep you happy.

Carla Schroder is the author of The Book of Audacity, Linux Cookbook, Linux Networking Cookbook, and hundreds of Linux how-to articles. She's the former managing editor of Linux Planet and Linux Today.