Free firewalls have become very common and represent an excellent alternative to commercial firewall packages.
Most of these firewalls run under some form of Linux, FreeBSD, or OpenBSD.
Many of these free firewalls are front-ends for the lower-level firewall packages which ship with these operating systems, such as pf (Packet Filter), ipf (IPFilter), ipfw (IPFirewall), and iptables.
Free firewall packages which you can download include:
Firesarter is a free firewall tool for Linux machines. Whether you simply want to protect your personal workstation or you have a network of computers to secure, Firestarter is here to make your life easier. While a firewall can not guarantee security, it is the first line of defense against network based attacks.
Firestarter is an Open Source visual firewall program. The software aims to combine ease of use with powerful features, therefore serving both Linux desktop users and system administrators.
We strongly believe that your job is to make the high level security policy decisions and ours is to take care of the underlying details. This is a departure from your typical Linux firewall, which has traditionally required arcane implementation specific knowledge.
- Open Source software, available free of charge
- User friendly, easy to use, graphical interface
- A wizard walks you through setting up your firewall on your first time
- Suitable for use on desktops, servers and gateways
- Real-time firewall event monitor shows intrusion attempts as they happen
- Enables Internet connection sharing, optionally with DHCP service for the clients
- Allows you to define both inbound and outbound access policy
- Open or stealth ports, shaping your firewall policy with just a few mouse clicks
- Enable port forwarding for your local network in just seconds
- Option to whitelist or blacklist traffic
- Real time firewall events view
- View active network connections, including any traffic routed through the firewall
- Advanced Linux kernel tuning features provide protection from flooding, broadcasting and spoofing
- Support for tuning ICMP parameters to stop Denial of Service (DoS) attacks
- Support for tuning QoS parameters to improve services for connected client computers
- Ability to hook up user defined scripts or rule sets before or after firewall activation
- Supports Linux Kernels 2.4 and 2.6
- Translations available for many languages (38 languages as of November 2004)
Zorp is a new generation proxy firewall suite and as such its core architecture is built around today’s security demands: it uses application level proxies, it is modular and component based, it uses a script language to describe policy decisions, it makes it possible to monitor encrypted traffic, it let’s you override client actions, it let’s you protect your servers with its built in IDS capabilities… The list is endless. It gives you all the power you need to implement your local security policy.
- Using script language as configuration and decision language(Python)
- Supported protocols:
- Utilizing modular application gateways
- Able to analyze sub-protocols (for example HTTP in SSL)
- Can add/remove packet filter rules on-demand
- You can write your own proxy modules in Pthon if a native version is not available
Turtle Firewall is a software which allows you to realize a Linux firewall in a simply and fast way. It’s based on Kernel 2.4.x and Iptables. Its way of working is easy to understand: you can define the different firewall elements (zones, hosts, networks) and then set the services you want to enable among the different elements or groups of elements. You can do this simply editing a XML file or using the comfortable web interface, Webmin.
- ZONES, NETWORKS, HOSTS and GROUPS definitions.
- Filter rules definitions based on services.
- New services definitions.
- NAT (Network Address Translation)
LutelWall is high-level Linux firewall configuration tool. It uses human-readable and easy to understand configuration to set up Netfilter in the most secure way. The flexibility of LutelWall allows firewall adminstrators build very simple, single-homed firewalls, and most complex ones – with multiple subnets, DMZ’s and traffic redirections.
LutelWall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone system. Configuration method of this firewall is designed to be as simple as possible without loosing Netfilter flexibility and its security features.
LutelWall is a Linux IPtables shell script written in bash for use as a stateful firewall and NAT/masquerade router for single or multiple subnets networks.
LutelWall makes use of the netfilter code in the 2.4 Linux kernel and is more robust and configurable than an equivalent IPchains script
- Traffic features:
- Flexible control over traffic using rule set
- User-defined protocols support
- Support for any kind multiple external and internal interfaces (and aliases)
- Automated MASQUERADE / SNAT support
- Easy to set up DNAT (transparent proxy, redirections to LAN/DMZ etc.)
- Rate limit extensions
- Packet marking for 3rd party shapers
- TOS (Type of Service) traffic optimizer
- Both passive and active FTP support
- DHCP support
- Can work as “workstation” firewall
- Security features:
- Stateful TCP connection tracking with restrictive TCP chain
- Blocking all stealth mode scans (FIN, Xmas Tree, Null, Windows scan or ACK scan modes (nmap -sF -sX -sN -sW -sA)
- Blocking IP protocol scans (nmap -sO)
- Blocking UDP scans (nmap -sU)
- Blocking identification via TCP/IP fingerprinting (nmap -O)
- Anti-spoof protection, including protection for aliases
- Anti-smurf protection
- TCP SYN Flood protection
- UDP / ICMP Flood protection
- IANA reserved addresses checking
- SYSCTL parameters set for increased strength
- Logging features:
- Logging stealth scans (FIN, Xmas Tree, Null), ACK scan modes (nmap -sF -sX -sN), IP protocol scans (nmap -sO), UDP scans (nmap -sU), nmap fingerprinting attempts.
- Other features:
- Autodetect of connection type (static/dynamic, external/internal)
- Auto update of firewall tool
- Auto update IANA reserved list
- Display firewall statistics in iptables native, csv or html format Easy deployment on all distributions
floppyfw is a router with the advanced firewall-capabilities in Linux that fits on one single floppy disk.
- Access lists, IP-masquerading (Network Address Translation), connection tracked packet filtering and (quite) advanced routing. Package for traffic shaping is also available.
- Requires only a 386sx or better with two network interface cards, a 1.44MB floppy drive and 12MByte of RAM (for less than 12M and no FPU, use the 1.0 series, which will stay maintained.)
- Very simple packaging system. Is used for editors, PPP, VPN, traffic shaping and whatever comes up.
- Logging through klogd/syslogd, both local and remote.
- Serial support for console over serial port.
- DHCP server and DNS cache for internal networks.
Guarddog is a firewall configuration utility for Linux systems. Guarddog is aimed at two groups of users. Novice to intermediate users who are not experts in TCP/IP networking and security, and those users who don’t want the hassle of dealing with cryptic shell scripts and ipchains/iptables parameters.
- Easy to use goal oriented GUI. You say what the firewall should do without having to explain all the details of how it should do it.
- Application protocol based. Unlike other tools, Guarddog does not require you to understand the ins and outs of IP packets and ports. Guarddog takes care of this for you. This also reduces the chances of configuration mistakes being made which are a prime source of security holes.
- Doesn’t just generate the firewall once and forgets it. Guarddog lets you maintain and modify the firewall in place.
- Hosts/networks can be divided into Zones. Different zones can have different security policies for different.
- Supports the following network protocols: FTP, SSH, Telnet, Linuxconf, Corba, SMTP, DNS, Finger, HTTP, HTTPS, NFS, POP2, POP3, SUN RPC, Auth, NNTP, NETBIOS Name Service, NETBIOS Session Service, IMAP, Socks, Squid, pcANYWHEREstat, X Window System, Traceroute, ICQ, PowWow, IRC, PostgreSQL, MySQL, Ping, Quake, QuakeWorld, Quake 2, Who Is, Webmin, ICMP Source Quench, ICMP Redirect, Real Audio, Line Printer Spooler, syslog, NTP, NetMeeting, Gnutella, LDAP, LDAP-SSL, SWAT, Diablo II, Nessus, DHCP, AudioGalaxy, DirectPlay, Halflife, XDMCP and Telstra’s BigPond Cable, CDDB, MSN Messenger, VNC, PPTP, Kerberos, klogin, kshell, NIS, IMAPS, POP3S, ISAKMP, CVS, DICT, AIM, Fasttrack, Kazaa, iMesh, Grokster, Blubster, Direct Connect, WinMX, Yahoo! Messenger, AH, ESP, Jabber, EsounD, Privoxy, eDonkey2000, EverQuest, ICP, FreeDB, Elster, Yahoo games, Legato NetWorker backups, Novell Netware 5/6 NCP, Bittorrent, rsync, distcc, Jabber over SSL, PGP key server, Microsoft Media Server and gkrellm.
- Protocols not supported in the list above can be entered in directly.
- Supports router configurations.
- Runs on KDE 2 or 3, and Linux 2.2, 2.4 and 2.6 series kernels.
- Supports advanced Linux 2.4+ iptables features such as connection tracking and rate limited logging.
- Firewall scripts can be Imported/Exported for use on machines other than the current one.
- DHCP support.
- Uses a “what is not explicitly allowed, is denied” philosophy. Fail-safe design.
- Well documented with tutorials and reference material.
- Licensed under the terms of the GNU General Public License. Is Free and will remain Free.
IPCop Firewall is a Linux firewall distribution geared towards home and SOHO (Small Office/Home Office) users. The IPCop interface is very user-friendly and task-based. IPCop offers the critical functionality of an expensive network appliance using stock, or even obsolete, hardware and OpenSource Software.
OLD PC + IPCOP = Secure Internet Appliance
IPCop lets you take an old PC and convert it into an appliance that will.
- Secure your home network from the internet.
- Improve the performance of web browsers (by keeping frequently used information)
All this functionality can be managed from a simple to use web interface, even updates and patches can be installed using a web browser.
IPCop works with most home networks and small office networks, dial up modems, cable modems, ADSL, Leased lines and ISDN. It also lets several PCs share connections to the internet. If you have an always on connection to can even use IPCop to protect your web and email servers. IPCop also has remote management meaning you can securely update and reconfigure your IPCop firewall from anywhere with a internet connection.
Endian is a “turn-key” Linux security distribution that turns every system into a full featured security appliance. Endian has been designed with usability in mind and is very easy to install, use and manage, without losing its flexibility.
Endian’s features include a stateful packet inspection firewall, application-level proxies for various protocols (HTTP, FTP, POP3, SMTP) with antivirus support, virus and spamfiltering for email traffic (POP and SMTP), content filtering of Web traffic and a “hassle free” VPN solution (based on OpenVPN).
SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. SmoothWall includes a hardened subset of the GNU/Linux operating system, so there is no separate OS to install. Designed for ease of use, SmoothWall is configured via a web-based GUI, and requires absolutely no knowledge of Linux to install or use.
The m0n0wall project is aimed at creating a complete, embedded firewall software package that provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price. The m0n0wall software is free, so your only cost is the price of a small dedicated PC.
m0n0wall is based on a bare-bones version of FreeBSD, along with a web server, PHP and a few other utilities. The entire system configuration is stored in one single XML text file to keep the configuration transparent.
m0n0wall is probably the first Unix system that has its boot-time configuration done with PHP, rather than the usual shell scripts, and that has the entire system configuration stored in XML format.
pfSense is a open source firewall derived from the m0n0wall operating system platform with radically different goals such as using OpenBSD’s ported Packet Filter, FreeBSD 6.1 ALTQ (HFSC) for excellent packet queueing and finally an integrated package management system for extending the environment with new features.
OPNsense is a fork of pfSense, which was itself a fork from m0n0wall. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases.
OPNsense features include:
- A stateful inspection firewall with granular control over the state table
- Network Address Translation (NAT)
- A traffic shaper
- A captive portal to to force authentication, or redirection to a click through page for network access
- 802.1Q VLAN support
- Virtual Private Network support with IPSec, OpenVPN, and PPTP.
- Dynamic Domain Name System (DDNS) support
- High Availability (HA), with hardware failover, configuration synchronization, and state table synchronization
- DHCP Server and Relay
- Reporting and monitoring with RRD and real-time SVG graphs.