5 Best Linux/BSD Firewall tools

Matt Hartley has written an article on Intranet Journal about (in his opinion) the 5 best Linux/BSD Firewall tools:

  1. IPCop
  2. pfSense
  3. M0n0wall
  4. SmoothWall
  5. Linux LiveCD Router

Over the course of recent years, some people have found the quality of most out-of-the-store firewall appliances either lacking functionality or worse, set at a price that has made them generally out of reach.

Because of this issue, I thought it would be beneficial to write an article to better highlight what works and what does not with regard to turning an older PC into a standalone router/firewall appliance.

He writes the following about m0n0wall and pfSense (both BSD firewalls):

M0n0wall

Regardless of a fantastic effort by IPCop, there is just something to be said about rocking solid BSD solutions. The first that comes to mind is that from m0n0wall. It’s small, 12 MBs small! That is the single biggest distinguishing thing to note about m0n0wall. Its size and portability, that is. Designed to be a replacement for those expensive firewall appliances used today, m0n0wall works on embedded machines, in addition to being quite useful on older x86 PCs as well.

Definitely a little more advanced from a usability standpoint than other solutions out there, but do not let this fool you, because m0n0wall is VERY powerful in all of its BSD goodness. This being said, it should be noted that even though m0n0wall is workable on a older PC, it shines best on embedded systems being used by more advanced administrators. Therefore, this is not a really good solution for new Windows converts looking to convert their old PC into something cool.

pfSense

From what I have been told, the pfSense project was started by the same people as m0n0wall. Those looking to revamp an older PC might be better off going with pfSense. Plenty of features to speak of. Most notable among them include:

  • Redundancy — By creating a fallover group, the network will remain secure even in the event of interfaces that go offline for some reason.
  • Load Balancing — Provides both inbound and outbound balancing between WAN connections or multiple servers, depending on which way the traffic happens to be going.
  • Captive Portal — Force the user to authenticate or simply find themselves redirected to wherever you wish.

Source (IntranetJournal – 16/12/2008)

PC-BSD 7.0.2 available

The PC-BSD Team is pleased to announce the availability of PC-BSD 7.0.2, with an updated FreeBSD 7.1-PreRelease under the hood and the latest KDE 4.1.3.

Version 7.0.2 contains a number of bugfixes and improvements. For a full list of changes, please refer to the changelog. Some of the changes are:

  • KDE 4.1.3
  • Improved desktop performance with Nvidia Cards
  • Improved NTFS write support
  • HAL fixes and improvements
  • Installation bugfixes

This version of PC-BSD can be downloaded and installed as a fresh install or, alternatively, can be updated to from PC-BSD 7.0.1 via the System Update tool or via a stand-alone PBI.

Many thanks for all the feedback we have received via the Forums and the Testing mailinglist.

Links: Download | Changelog | PBI Update

pfSense vs Smoothwall

So heres my dilemna for a project I’m working on.
I need a rather broad solution covering DNS, proxying, firewalling, VPN (both site to site and LDAP integrated user access), DHCP, supporting multiple DMZ servers along with routing support. This will act as the centre point for a 40 person network. Clearly hardware wise this will have to be quite a strong system, with load balancing being a possibility, at minimum hardware failover

Pros and Cons here

m0n0wall beta 12 and FreeBSD 7.0 based pfSense

The m0n0wall and the pfSense projects have released a beta and 2 alpha versions respectively.

m0n0wall 1.3 beta 12 is out, containing a new feature: IPv6 support (routing and firewalling). The change log and the download link can be found on the beta page.

pfSense has a 1.2.1 alpha snapshot available for testing. This version contains a few bug fixes and the base OS has changed to FreeBSD 7.0. There’s also a 1.3 alpha snapshot available for testing. This version brings significant changes from 1.2 and brings all the great new features that have been added to pfSense over the past 8 months.

For the pfSense download links, upgrade instructions and more information visit the pfSense blog.

Configure a professional firewall using pfSense

pfSense project logoThe Free Software Magazine has a good howto on installing and setting up pfSense.

This guide was written for Linksys, Netgear, and D-link users with no firewall or router experience. No experience is needed with FreeBSD or GNU/Linux to install and run pfSense. When you are finished, management of pfSense will be from a web interface just like any of the SOHO firewall/router appliances.

pfSense is a web-based firewall project that is similar, in terms of functionality, to the software in firewall appliances sold by Linksys, Netgear and D-Link. pfSense covers all the basic requirements offered by those appliances but offers so much more—in fact, it is really in a class by itself since it would be very difficult to find a commercial alternative that would provide what pfSense has to offer (or, anything cheaper than $2,000–$5,000).

Two good reasons to use pfSense

1. pfSense is a very powerful and stable project with advanced features. Users of pfSense have reported that it performs well even with hundreds of computers operating behind the firewall. pfSense has all the features of the SOHO units and much more. You can have multiple network subnets separate from each other using firewall rules. For example, you could have separate subnets for each business function; or separate Accounting, Marketing, Sales, and R&D from each other, while giving each one access to the Internet; or set up a HotSpot for your business, allowing users to access the Internet but not the company LAN (which usually contains a POS (Point Of Sale) system and/or proprietary information and non public computer systems).

2. If you are an experienced FreeBSD, GNU/Linux or Unix user you may wish to add applications from the FreeBSD repository. While running additional applications on a firewall can increase your exposure to potential risk of being hacked, it can still be extremely useful to add a few applications to pfSense. Once you get pfSense installed you can find a list of authorized ports under the System Packages tab. These can be installed with one click. The FreeBSD.org packages are added by the user via the shell the way it has been done for years. These FreeBSD.org packages are not officially supported by pfSense.

Not directly related to pfSense, but if you’re interested in professional qualifications maintaining and supporting firewall and routing platforms, have a look at the InfoSec Institute. InfoSec can help you receive your CISSP Certification and become an IT professional.

Read the howto or download the howto as PDF

Links: Free Software Magazine | pfSense howto | pfSense Project

pfSense – hardware/server request

Scott Ullrich from pfSense Project

is looking for anybody willing to donate a hardware or a fast server to speed up building and compiling of pfSense.

It seems more and more that I spend 90% of my time waiting for pfSense builds to validate code changes, kernel changes, etc
more…

Here’s a rundown of parts that would be ideal:

  • quad core cpu, or dualquad core if possible
  • 4g ram (not strictly necessary, but useful for cache)
  • 6 sata disks (western dig raptors would rock), and an areca or similar card with 256M-1G battery backed cache

Is there anybody able to help the pfSense project?

Read the whole blogpost and the comments here.

FreeBSD News – quick links (week 17)

I News & Articles

FreeBSD for Web and E-Mail Servers

I’m not touting FreeBSD over Linux. Within the Unix-like community, and even within the Linux world, it’s easy to find heated arguments over the various versions of operating systems. It seems that no matter what software or computer system some people use, they will fight to the death to prove theirs is the best. I can only tell you that FreeBSD works well for us. For years, ComputorEdge.com ran well on a Linux box. The only reason that we didn’t continue was concerns for the age of the hardware. When we brought in new servers, we installed FreeBSD. Once Apache—the same Web server we used on the Linux computer—was installed, the movement of the site to the new machine was fairly simple.

I had to learn to use FreeBSD, but now I’ve developed a certain comfort level. I could go to a Linux computer and do many of the same things I do now, but there are just enough differences for it to feel foreign to me. I’m sure that this is true to some extent even when moving between versions of Linux.

The Linux world is taking many more steps toward making the individual user more comfortable with using it as a replacement for Windows. If I were looking to do that, then I would probably start with Linux. However, if your primary objective is to build a server—for the Web, e-mail, or another intensive application—it would be difficult to go wrong with FreeBSD. More…

pfSniffer? A non-firewall use for pfSense

Several years ago my company looked into getting Distributed Sniffer Appliances, made by Network General. These are devices that attach to an Ethernet segment (at a branch office) and allow you to remotely connect and pull traces. Ideally, we would have loved to have these in each remote location so that we could more easily troubleshoot problems that seemed to crop up regularly. They looks like very nice appliances, but Network General wanted an arm and a leg for each one, so we passed.

We recently had a need for this sort of thing and I had a great idea. Many months ago, I noticed that pfSense had added a very nifty feature called Packet Capture. Essentially, the pfSense WebGUI has an interface to tcpdump, allowing you to put in some simple filter criteria (source/destination IP Address) and have a trace executed on a particular interface. This is a really nice feature for troubleshooting your firewall, but I thought that this could be used to make a distributed “pfSniffer”. More…

II Releases

New PC-BSD PBI Builder released

The PBI builder is a powerful command-line script system, which can be used to convert a FreeBSD port into a PBI file. The configuration for this process is stored as a module, which can then be used to rebuild the PBI automatically. Developers can then submit these finished modules to PC-BSD Software, where they will be added to a build server, which rebuilds the PBI every time the underlying port is updated. More…

Portscout Services Started!

Time to make my Portscout public for all.

What is Portscout? Portscout is a tool which looks for new versions of software in the
FreeBSD ports tree and potentially other software repositories. More…

III Howto

SpamAssassin Installed in 10 minutes.

In our example we are going to install SpamAssassin from the ports. This example is suitable for a small company with up to few dozen of mailboxes. More…