Note: Our best free Linux firewalls round-up has been fully updated. This feature was first published in June 2010.
You're walking down a dark alley, late at night, when suddenly someone jumps out at you and forces you to hand over your passport, your credit cards, and the keys to your car. This is a decent analogy of what using the internet is like.
Around every corner lurks danger, and given today's always-on connections, you may have the internet equivalent of burglars without even realising. For ultimate computer security, a firewall is similar to having a big, burly bodyguard walking down the street with you, keeping you safe. Most modern routers come with firewalls to help protect you, but if yours doesn't then a firewall distro should be able to help you, whether we're talking about a home or office network.
Most firewalls are designed to run in one of two places. Firstly, there are firewalls designed to sit on your machine, and protect you from the internet wherever you go. Most Linux distributions have Iptables, which will protect your computers or servers individually. The other kind of firewall is designed to sit between your network and the connection to the internet (or another network). We'll be looking at a selection of these in this roundup.
With the massive choice of firewall distributions that's available today (check out Distrowatch.com for a comprehensive list), we'll look at what makes some options better than others, and which might be best for you and your particular computer setup.
And the great thing is, all of this software is free…
ClearOS is by far the sleekest looking firewall distribution in this roundup. It's obvious that a lot of time and attention has gone into developing the interface, with much of that effort spent focusing on usability issues.
As most firewall distributions are written for the stereotypical geek, it's nice to see a refreshing change in what seems to have become the de facto standard of 'cobble it together and think about the interface afterwards'.
The installation is painless – it's similar to Fedora's graphical setup – and takes around 10 minutes to complete. Once done, reboot and you'll be given all the info you need to access and administer your new firewall remotely. Everything is straightforward and it's obvious that a lot of thought has gone into making ClearOS as easy to use as possible.
Once you've set yourself up and got into the web-based administration system, it doesn't take long for you to familiarise yourself with the system, thanks to its ease of use. Setting up firewall rules is quick and painless, as is much of the other configuration.
The most pertinent feature of ClearOS is its usability, but this distro is about a lot more than just sleek looks. It packs in plenty of features as well – not only does it give you a simple, clean way to manage a firewall, but it enables you to add extra services to your network.
This means that if you're fed up with that Windows box sitting in the corner running all your fileshares and printer services, you can replace it with a ClearOS system.
Overall, ClearOS is a powerful distro, backed by a corporate arm, giving you the tools you need to run your network, and the option to expand things further as and when your specific requirements dictate.
A well thought-out distribution that's refreshingly easy to use and expands to suit your needs.
- ClearOS Community 7.1
- Website: www.clearos.com/clearfoundation/software/clearos-7-community
- Rating: 9/10
This distro has been touted by many as the 'Smoothwall Killer'. Working along similar lines to Smoothwall Express, IPCop uses colours to represent different connections. Green is for LAN, red for the internet, orange for DMZ, and blue for separating out wireless clients.
In fact, IPCop is a fork of Smoothwall, so you'll probably find a lot of similarities between the two. IPCop was forked from Smoothwall back in 2002, and has grown in strength since then.
Installation is relatively straightforward to follow, but there are some wildcard questions thrown into the mix. While these may puzzle the novice user, accepting the default options won't cause any issues (unless you have a strange network setup).
IPCop's web interface feels clunky, although our tests proved that this was merely psychological, because it was actually incredibly responsive. However, other than the 'real-time' graphs that Smoothwall provides, IPCop gives a lot more information about your LAN setup, and about the running of the firewall itself, including a list of the connections that are currently open.
IPCop also gives you functionality that's useful if you're still using dial-up, because you can have a separate username and password to control the dial-up connection, without giving access to change the rest of the settings on your firewall.
It also provides a 'caching proxy', so that you can cache frequently accessed pages locally.
IPCop does a good job as a firewall, giving plenty of information about traffic on your network, and while it might not be the prettiest distro in the world, it does what it's designed to do.
The interface doesn't look great, but this distro protects your network effectively.
- IPCop 2.19
- Website: www.ipcop.org
- Rating: 8/10
Zentyal Server Development Edition
Zentyal Server began life as EBox Platform, and is billed as a 'Linux mail server that is natively compatible with Outlook'. Despite its obvious email leanings, this is more of a fully functional small business server, backed up with infrastructure, domain and directory management and – of course – networking and firewall features.
It's based on the latest LTS release of Ubuntu Server, so installation is practically identical to installing Ubuntu Server itself, which means it's as straightforward as you'd expect it to be. You can also install the various components of Zentyal Server on to a generic Ubuntu LTS version by simply adding an APT repository and installing certain packages.
This is useful if you already have a box lying around with Ubuntu installed on it, or if you only require certain parts of the Zentyal Server, such as its firewall. This is because Zentyal has been built around the core of Ubuntu Server, and uses its components internally.
Once it's installed, you can log into Zentyal locally through the Windows-like desktop interface, or access it remotely through your browser, using the user credentials you provided during installation. At this point, you may find yourself horrendously overwhelmed by the sheer number of options that Zentyal gives you. But rest assured, once you find the firewall screen, configuring it is simple.
While Zentyal Server is one of the biggest firewall distributions we tested in terms of the sheer size of the download, you've got to remember that it packs in a lot of features, including database and SIP servers, although it lacks Active Directory authentication.
We've also given Zentyal Server extra marks for the fact that it offers so much by way of configuration, and provides almost everything you'd need to run your home or office network right from the default install.
Don't be put off by the seemingly overwhelming interface, because this offers so much more than a firewall.
- Zentyal Server Development Edition 4.2
- Website: www.zentyal.org/server
- Rating: 9/10
Monowall is a BSD-based firewall designed to run on a 16MB flash card, and it has the smallest footprint of the firewalls we tested. Because of this, Monowall only provides the barebones features for a firewall. Still, given it's so small, it's a rather impressive distribution.
Monowall boots directly into a configuration menu. First, you have to configure the network interfaces with Monowall's Auto Detect feature, which, for those of you who generally can't work out which identifier corresponds to each network connection, enables you to assign a LAN/WAN interface by detecting a cable being unplugged, then plugged back in.
Monowall has the advantage of being one of the few firewalls we've tested here that provides Quality of Service (QoS) routing by default, which enables you to 'traffic shape' your connection so that certain requests get priority. This is useful if you want to use VoIP for your telephone connection, because you can prioritise the VoIP link.
Once you've assigned your network interfaces, you can set a password for the WebGUI system, which enables you to configure the rest of your firewall setup via the web-based interface.
Being a BSD-based system, some of the terminology may initially seem confusing, but after some web searches and a period of acclimatisation, it becomes second nature.
Although Monowall is a tiny firewall distribution, security isn't compromised. It's particularly good for those of you who want to run a safe network without having to spend too much money on hardware, since it will run fine on a standard, off-the-shelf PC.
Note: Monowall has been discontinued as of February 15, 2015, but is still available for download. The developers recommend OPNSense as its natural successor, but see the next slide for another Monowall-based firewall…
Great for older boxes and embedded systems, but only has basic features, and is no longer supported.
- Monowall 1.81
- Website: http://m0n0.ch
- Rating: 5/10
pfSense seems a strange name at first, but when you realise that it's a fork of Monowall, and therefore BSD-based, it starts to make sense.
BSD uses a program called pf (packet filter) as its stateful packet filter, which is much the same as Iptables, although some say it's more powerful. This is because pf and Iptables work in different ways.
Pf works better with stateful rules (where it needs or uses information about previous packets in a stream), and Iptables is better with stateless rules (where it doesn't need to know about previous packets). In this sense, pf is slightly more secure than a firewall using Iptables would be, because by tracking TCP sequence numbers, it makes a connection harder to spoof.
pfSense, like Monowall, has a simple install process that drops you to a command line, but unlike Monowall, it asks you to set up the interfaces during the installation, rather than once it's booted. Again, determining which network card relates to which interface is easy with the Auto Detect feature.
Being a fork of Monowall, you'd expect the features to be similar or even identical, but pfSense adds extra features, such as multi-WAN, hardware failover, and different methods of authentication.
It has a cleaner interface and feels smoother to use. Once again, being BSD, some of the terminology used is confusing, but doesn't take long to get to grips with.
pfSense is possibly the most feature-rich firewall distribution out there, but falls down due to its lack of extra features that aren't entirely firewall-related. If you're just after a firewall, you won't go wrong by choosing pfSense, but if you need anything extra, you'll need another box to put it all on.
The most complete firewall distribution here, but it doesn't come with any non-firewall extras.
- pfSense 2.2.6
- Website: www.pfsense.org
- Rating: 7/10
Smoothwall is probably the best known firewall distro. To test this, we did a quick poll of 20 Linux geeks, asking them to name a firewall distro. 19 of them came up with Smoothwall first.
Installation of Smoothwall Express is once again pretty straightforward, if a little confusing. It's definitely worth downloading the Installation Guide to walk you through the installation process. You can mostly accept the default options and everything should just work, unless you've got an unusual network configuration.
Once you've completed the initial setup of Smoothwall Express, you're good to go because it doesn't require much further tweaking, other than plugging the network cables into the right place.
The web-based control panel is simple and easy to understand – it gives you quick access to the functionality that Smoothwall provides. Smoothwall Express doesn't provide much in the way of extra features, though.
However, like IPCop, it does enable you to have a separate account that can control the main connection, which is especially useful if you're using dial-up, alongside its caching web proxy service.
One of the benefits of Smoothwall Express is the simplicity it offers when running internal DNS – adding a new hostname takes only a few seconds.
The only issue we noticed during testing was that assigning static DHCP lease assignments requires you to click Add followed by Save, and it isn't particularly obvious that you have to do the second step. We found that this led to a fair bit of confusion with our network attached printers jumping from one IP address to another.
A great firewall that's easy to use, but it comes up a bit short in terms of more advanced features.
- Smoothwall Express 3.1
- Website: www.smoothwall.org
- Rating: 8/10
Choosing the right firewall distro is largely dependent on the job you need it to do. If you're setting up a home or office network, having a firewall in place makes a lot of sense. Other than common sense, firewalls are the best way of fighting against the plethora of dangers out there on the internet.
But some of the time, it's also a good idea to have that bit of extra functionality to make your life easier.
Just a firewall
If you're just after a firewall, then all of the distributions here will do a good job, with some performing better than others. If this sounds like you, you can't go wrong with pfSense.
Failing that, IPCop and Smoothwall Express are excellent options if you're not after anything too complex – check out Smoothwall's paid-for arm if you're looking for a commercial-grade solution, but beware of the price.
If you want something with a small footprint, or to run on an embedded device, then once again pfSense makes a good choice – in the past we'd have favoured Monowall, but the fact it's no longer actively maintained counts against it.
For us, however, a box in the corner that isn't being used to its full extent is a wasted box (which is why we like virtualisation). Because of this, our overall winner is Zentyal Server.
The astounding feature list and the fact that it's built on top of a standard Ubuntu install means that along with the firewall, you've got a box that can do close to anything you can imagine. Admittedly, it was quite hard to decide between Zentyal and ClearOS (both of them scored 9/10).
Ultimately, although ClearOS offers a lot of functionality and has an amazingly usable interface, Zentyal has the potential to have any kind of functionality added to it. If you don't need all the super-powered features that Zentyal gives you, you'll find that ClearOS provides you with everything you need in a single, well-maintained, usable package.
Finally, Smoothwall Express deserves a special mention, because it's the only firewall that you can leave alone once it's installed, and not have to play with to get it up and running. If you ever need to locate specific settings in it, these are simple to find as well.