Wednesday, March 8, 2017

6 best free Linux firewalls of 2017

Note: Our best free Linux firewalls round-up has been fully updated. This feature was first published in June 2010.

You're walking down a dark alley, late at night, when suddenly someone jumps out and forces you to hand over your passport, credit cards, and the keys to your car. This is a decent analogy of what using the internet can be like.

Around every corner lurks danger, and given today's always-on connections, you may have the internet equivalent of burglars without even realising. For the ultimate in computer security, a firewall is similar to having a burly bodyguard walking down the street with you, keeping you safe. Most modern routers have a firewall built in, which while helpful can be difficult to configure.

Fortunately there are also distributions (distros) of the free operating system Linux which have been specifically designed to function as firewalls. These will generally have much more advanced features than those found on a router, and allow you to have far greater control over keeping your personal or business network safe.

In this article, we're going to evaluate six of the most popular free firewall distros. We have tried to emphasise both power and ease of use when considering these offerings and their relative merits. If you want to see all the firewall distros available out there, feel free to visit the DistroWatch website for a comprehensive list. 

These distros can either be installed to a physical computer, or if you only have one device, run from a virtual machine. See our guide on setting up a virtual machine in Windows.

Most distros can be downloaded as an ISO file. You can use programs like UNetbootin to copy them to a USB stick and boot. Follow the steps in our guide here to do this. 

ClearOS is by far the sleekest looking firewall distro in this roundup. It's obvious that a lot of time and care has gone into developing the interface.

As most firewall distros are written for the stereotypical geek, it's nice to see a refreshing change in what seems to have become the de facto standard of 'cobble it together and think about the interface afterwards'. This said, ClearOS will run quite happily from the command line for more advanced users.

The installation is painless and takes around 10 minutes to complete. You're given the choice to start in Public Server or Gateway mode, depending on how you want to use ClearOS.  

Once done, reboot and you'll be given all the info you need to access and administer your new firewall remotely. Everything is straightforward – it's obvious that a lot of thought has gone into making ClearOS as easy-to-use as possible.

Once you've completed setup and accessed the web-based admin system, it doesn't take long to familiarise yourself with the various settings and features of ClearOS as the distro provides ‘Getting Started’ help once you log in to the web interface. Setting up firewall rules is quick and painless, as is much of the other configuration.

The most pertinent feature of ClearOS is its usability, but this distro is about a lot more than just sleek looks. It packs in plenty of features as well – not only does it give you a simple, clean way to manage a firewall, but it enables the addition of extra services to your network.

Overall, ClearOS is a powerful distro. As it's available in both free 'Community' and paid 'Professional' versions, it's perfect for both homes and small businesses. 

Verdict

A well thought-out distro that's refreshingly easy-to-use and expands to suit your needs.

This distro, while entirely separate from IPFire, also uses helpful colour-coding to represent different connections. Green is for LAN, red for the internet, orange for DMZ, and blue for wireless clients.

IPCop was originally a fork of Smoothwall (which we’ll cover later) and was in turn forked by the IPFire team as updates to IPCop are few and far between. The most recent version (2.1.9) was released in February 2015.

Installation is relatively straightforward, but there are some wildcard questions thrown into the mix. While these may puzzle the novice user, accepting the default options won't cause any issues unless you have a very specific network configuration. One of the main advantages of IPCop is that the installation image is very small (around 60MB) and can be copied onto a DVD or flash drive. 

IPCop's web interface feels clunky, although our tests proved that this was merely psychological, because it was actually incredibly responsive. However, other than the 'real-time' graphs that Smoothwall provides, IPCop gives a lot more information about your LAN setup, and about the running of the firewall itself, including a list of the connections that are currently open.

The Firewall also provides a 'caching proxy', so that you can cache frequently accessed pages locally.

IPCop does a good job as a firewall, giving plenty of information about traffic on your network, and while it might not be the prettiest distro in the world, it does what it's designed to do.

Verdict

The interface doesn't look great, but this distro protects your network effectively.

OPNsense is an easy-to-use open source firewall based on FreeBSD 10.1 to ensure long-term support. Obviously enough, the project’s name is derived from the words 'open' and 'sense', standing for: ‘Open source makes sense.’

The OPNsense project started out as a fork of the more established firewall pfSense in January 2015. The team claimed their reasons for forking the project were partly due to the type of licence pfSense used at the time, and partly because they believed they could create a more secure firewall. 

The firewall now shares only around 10% of its code with the original pfSense project. Also note that the fork generated quite a lot of controversy between pfSense diehards and OPNsense supporters on Reddit.

OPNsense offers weekly security updates so can respond quickly to threats. It contains many advanced features you'd usually find only in commercial firewalls such as forward caching proxy and intrusion detection. It also supports using OpenVPN.

OPNsense incorporates a very rich GUI written in Phalcon PHP which is a real pleasure to use. Aside from being more appealing than pfSense's interface, OPNsense was created partly due to the fact that the team felt the graphical interface shouldn't have root access, as this can cause security issues. 

The GUI has a simple search bar as well as a new System Health module. This module is interactive and provides visual feedback when analysing your network. You can also now export your data in CSV format for further analysis.

The firewall uses an Inline Intrusion Prevention System. This is a powerful form of Deep Packet Inspection whereby instead of merely blocking an IP address or port, OPNsense can inspect individual data packets or connections and stop them before they reach the sender if necessary. OPNsense also offers LibreSSL over OpenSSL.

Verdict

An excellent and security-minded fork of the original pfSense project that offers a huge array of features.

IPFire is a Linux firewall distro focusing on user-friendliness and easy setup without compromising your security, supporting some useful features such as intrusion detection. IPFire takes a serious approach to security by using an SPI (Stateful Packet Inspection) Firewall built on top of netfilter. 

IPFire is specifically designed for people who are new to firewalls and networking, and can be set up in minutes. The installation process allows you to configure your network into different security segments, with each segment being colour-coded. The green segment is a safe area representing all normal clients connected to the local wired network. The red segment represents the internet. 

No traffic can pass from red to any other segment unless you have specifically configured it that way in the firewall. The default setup is for a device with two network cards with a red and green segment only. However, during the setup process you can also implement a blue segment for wireless connections and an orange one known as the DMZ for any public servers. 

Once setup is complete, you can configure additional options and add-ons through an intuitive web interface. 

The ISO image for IPFire is only 160MB in size, so once burned to DVD it'll happily load into your computer's system memory and work from there. Alternatively you can download a flash image to install it to a router or even an image for ARM devices such as the Raspberry Pi.  

The IPFire project is in the process of crowdfunding a ‘captive portal’. This is perfect if you wish to show people who connect to your Wi-Fi network a landing or login page before connecting directly to the internet. It also prevents rogue devices connecting automatically. 

Verdict

A lightweight and easy-to-use firewall with some super-advanced features.

Like OPNsense, pfSense is based on FreeBSD and designed specifically to work as a firewall and router. As we’ve mentioned already, the fork between these two projects was controversial and pfSense still has many loyal users. Updates are released quarterly. 

This distro runs on a range of hardware but currently only supports x86 architecture. The website has a handy hardware guide to allow you to choose a compatible device. 

The installation is done from a command line but it’s very simple. You can choose to boot from either a CD or USB drive.

The setup assistant will ask you to assign interfaces during the installation, rather than once you've booted to the web interface. You can use the auto-detect feature to work out which network card is which. 

The firewall has a small number of built-in features, such as multi-WAN, Dynamic DNS, hardware failover, and different methods of authentication. Unlike IPFire, pfSense already has a feature for a captive portal, whereby all DNS queries can be resolved to a single IP address such as a landing page for a public Wi-Fi hotspot. 

This distro has a clean interface and is very smooth to use. Once again, as it's based on BSD, some of the terminology used is confusing, but doesn't take long to get to grips with. 

pfSense is possibly the most feature-rich firewall distro out there, but falls down due to a lack of non-firewall-related extra features. If you're just after a simple firewall, you can't go wrong by choosing pfSense, but if you need anything above and beyond that basic functionality, you may want to consider one of the other distros.

Verdict

The most complete firewall distribution here, but it doesn't come with any non-firewall extras.

Smoothwall Express is probably the most well-known firewall distro. To test this, we did a quick poll of 20 Linux geeks, asking them to name a firewall distro. 19 of them came up with Smoothwall first.

The installation of Smoothwall Express is text-based, but you don't need to be familiar with the Linux console and it’s all fairly straightforward. You may prefer to download or indeed print out the installation guide to walk you through the setup process. In order to do this you'll need to create a my.smoothwall profile.

There are three installation options: Standard, Developer and Express. Developer is reserved for those people who actually want to work on coding the Smoothwall project. Express is a stripped-down version of Smoothwall which ensures maximum compatibility with older hardware. 

Unless you have a very specific network configuration, you can usually accept the default options. 

The web-based control panel is simple and easy to understand. Smoothwall Express doesn't provide much in the way of extra features, but does allow you to have a separate account to control the main connection, which is especially useful if you're using dial-up, alongside its caching web proxy service.

One of the benefits of Smoothwall Express is the simplicity it offers when running internal DNS – adding a new hostname takes only a few seconds. Assigning static IPs and enabling remote access can also be accomplished with a few mouse clicks. 

The only issue we noticed during testing was that assigning static DHCP lease assignments requires you to click Add followed by Save, and it isn't particularly obvious that you have to perform the second step. This led to a fair bit of confusion with our network attached printers jumping from one IP address to another.

Verdict

A great firewall that's easy-to-use, but it comes up a bit short in terms of more advanced features.

Choosing the right firewall distro is largely dependent on your specific requirements, but whatever they may be, having protection from a firewall is simply a matter of common sense given the multitude of dangers on the internet these days. That said, aside from basic protection, once your firewall is installed it can also be helpful to have a few extra features for good measure.

Just a firewall

If you're after a basic firewall, then all of the distros here will do a good job, with some performing better than others. If this sounds like you, you can't go wrong with IPFire, which probably has the easiest setup process. 

Failing that, IPCop and Smoothwall Express are excellent options if you're not after anything too complex. If you need a commercial-grade solution and have money to burn, check out Smoothwall's paid-for arm.

If you want something with a small footprint, or to run on an embedded device, pfSense's website contains helpful guides to do this, although it will only run on x86 architectures. For other types of hardware, consider IPFire. 

The winner

For us, however, a box in the corner that isn't being used to its full extent is a wasted box. This is why we prefer to use virtualisation, whereby the firewall can run as a virtual server on the same hardware you use for web browsing. 

While ClearOS remains the most powerful firewall, virtualisation is not as easy as it is with other firewall distros such as IPFire. And this, combined with the fact that IPFire allows easy customisation through its own add-on service Pakfire, means it’s the narrow winner over ClearOS, receiving our gold medal. 

Nevertheless, Smoothwall Express deserves an honourable mention. It's the only firewall that once installed will keep on running with minimal prompting and interference from you. If you ever need to locate specific settings, these are simple to find as well.



from blogger-2 http://ift.tt/2mmRQ77
via IFTTT

No comments:

Post a Comment