Monowall: Meet the smallest distribution in our test
Monowall is a BSD-based firewall designed to run on a 16MB flash card, and it has the smallest footprint of the firewalls we tested. Because of this, Monowall only provides the bare bones features for a firewall. Still, given it's so small, it's a rather impressive distribution.
Monowall boots directly into a configuration menu. First, you have to configure the network interfaces with Monowall's 'Auto Detect' feature, which, for those of you who generally can't work out which identifier corresponds to each network connection, enables you to assign a LAN/WAN interface by detecting a cable being unplugged, then plugged back in.
Monowall has the advantage of being one of the few firewalls we've tested here that provides quality of service (QoS) routing by default, which enables you to 'traffic shape' your connection so that certain requests get priority. This is useful if you want to use VoIP for your telephone connection, because you can prioritise the VoIP link.
Once you've assigned your network interfaces, you can set a password for the WebGUI system, which enables you to configure the rest of your firewall setup via the web-based interface.
Being a BSD-based system, some of the terminology may initially seem confusing, but after some web searches and then using it for a while, it becomes second nature.
Although Monowall is a tiny firewall distribution, security isn't compromised. It's particularly good for those of you who want to run a safe network without having to spend too much money on hardware, since it will run fine on a standard, off-the-shelf PC.
Great for older boxes and embedded systems, but only has basic features.
PfSense: If you want a comprehensive firewall and nothing else, look no further
PfSense seems a strange name at first, but when you realise that it's a fork of Monowall, and therefore BSD-based, it starts to make sense.
BSD uses a program called pf (packet filter) as its stateful packet filter, which is much the same as Iptables, although some say it's more powerful. This is because pf and Iptables work in different ways.
Pf works better with stateful rules (where it needs or uses information about previous packets in a stream), and Iptables is better with stateless rules (where it doesn't need to know about previous packets). In this sense, pf is slightly more secure than a firewall using Iptables would be, because by tracking TCP sequence numbers, it makes a connection harder to spoof.
PfSense, like Monowall, has a simple install process that drops you to a command line, but unlike Monowall, it asks you to set up the interfaces during the installation, rather than once it's booted. Again, determining which network card relates to which interface is easy with the autodetect feature.
Being a fork of Monowall, you'd expect the features to be similar or even identical, but PfSense adds extra features, such as multi-WAN, hardware failover, and different methods of authentication.
It has a cleaner interface and feels smoother to use. Once again, being BSD, some of the terminology used is confusing, but doesn't take long to get to grips with.
PfSense is possibly the most featureful firewall distribution out there, but falls down due to its lack of extra features that aren't entirely firewall-related. If you're just after a firewall, you won't go wrong by choosing PfSense, but if you need anything extra, you'll need another box to put it all on.
The most complete firewall distribution here, but it doesn't come with any non-firewall extras.
Smoothwall Express: Probably the firewall distribution with the biggest reputation out there
Smoothwall is probably the bestknown firewall distro. To test this, we did a quick poll of 20 Linux geeks, asking them to name a firewall distro. Nineteen of them came up with Smoothwall first.
Installation of Smoothwall Express is once again pretty straightforward, if a little confusing. It's definitely worth downloading the Installation Guide to walk you through the installation process. You can mostly accept the default options and everything should just work, unless you've got an unusual network configuration.
Once you've done the initial setup of Smoothwall Express, you're good to go because it doesn't require much further tweaking, other than plugging the network cables into the right place.
The web-based control panel is simple and easy to understand. It gives you quick access to the functionality that Smoothwall provides. Smoothwall Express doesn't provide much in the way of 'extra' features, as you can see from our table on the opposite page.
However, like IPCop, it does enable you to have a separate account that can control the main connection, which is especially useful if you're using dial-up, alongside its caching web proxy service.
One of the benefits of Smoothwall Express is the simplicity it offers when running internal DNS – adding a new hostname takes only a few seconds.
The only issue we noticed during testing was that assigning static DHCP lease assignments requires you to click Add followed by Save, and it isn't particularly obvious that you have to do the second step. We found that this led to a fair bit of confusion with our network attached printers jumping from one IP address to another.
Smoothwall Express 3.0
A great firewall that's easy to use, but it comes up a bit short in terms of more advanced features.
Smoothwall Advanced: The paid-for firewall with a lot of bang for your buck
This is the only paid-for firewall that we're reviewing here. Smoothwall Advanced's installation progress is similar to that of Express, but you'll initially only be asked to configure the internal network, so that you can access its web-based control panel to set up everything else.
Smoothwall Advanced seems designed to be used as a corporate office firewall, with the options to create authentication-based access to different parts of the network, and its web proxy and email filtering systems. This isn't necessarily a bad thing, but it can sometimes be overwhelming when you're trying to use it as a home or small office firewall.
For anyone used to using Express, the layout of the web-based administration will be familiar, although we found that because of a slightly different way of thinking about putting the firewall together, certain simpler tasks seemed harder than we had expected.
On the whole, however, the obvious attention to detail that has gone into Express is highly visible in Smoothwall Advanced as well. While the extra features available in Advanced are great for someone who wants a one-box solution, we found ourselves asking whether there was a better alternative for us, or if two boxes to create the same functionality would be a safer bet.
Add to that the 'limitations' (four network interfaces and 20 VPN connections included) and the fact that you have to pay more to expand it, Smoothwall Advanced really doesn't make sense unless you work for a company that can pay the extra for what you need, or if you feel safer using a paid-for product.
Smoothwall Advanced 2
Price: £1,250 + yearly renewal
A well-rounded firewall distribution, but is the price tag worth it?
The winner: eBox Platform: 9/10
Choosing the right firewall distribution is largely dependent on the job you need it to do. If you're setting up a home or office network, having a firewall in place makes a lot of sense. Other than common sense, firewalls are the best way of fighting against the plethora of dangers out there on the internet.
But some of the time, it's also a good idea to have that bit of extra functionality to make your life easier.
When we started writing this Roundup, we thought we already knew which of these distros would win. But this was before we looked more closely at the current offerings that are out there. When we did, we were pleasantly surprised to find some of the relative newcomers to the field providing an excellent experience.
Just a firewall
If you're just after a firewall, then all of the distributions here will do a good job, with some performing better than others. If this sounds like you, you can't go wrong with PfSense.
Failing that, IPCop and Smoothwall Express are excellent options if you're not after anything too complex, with Smoothwall Advanced trailing behind simply because of the price.
If you want something with a small footprint, or to run on an embedded device, then Monowall is a perfect choice.
For us, however, a box in the corner that isn't being used to its full extent is a wasted box (which is why we like virtualisation). Because of this, our winner is eBox Platform.
The astounding feature list and the fact that it's built on top of a standard Ubuntu install means that along with the firewall, you've got a box that can do close to anything you can imagine. Admittedly, it was quite hard to decide between eBox Platform and ClearOS.
Ultimately, although ClearOS gives a lot of functionality and has an amazingly usable interface, eBox has the potential to have any kind of functionality added to it. If you don't need all the superpowered features that eBox gives you, you'll find that ClearOS provides you with everything you need in a single, well-maintained, usable package.
Finally, Smoothwall Express deserves a special mention, because it's the only firewall that you can leave alone once it's installed, and not have to play with to get it up and running. If you ever need to locate specific settings in it, these are simple to find as well.
In fact, prior to testing the other firewall distributions we did for this Roundup, Smoothwall Express would most probably have been our number one choice.