Which Firewall Distro is Right for Me?

D

DevynCJohnson

Guest
List of all "Which Distro" articles

I had written an article on choosing the right distro for a desktop system. I decided to write a similar article on choosing the right router, firewall, gateway, etc. Linux distro. Yes, Linux can be used as an operating system for other network devices. Linux is so versatile, its use is not restricted to servers, clusters, desktops, and laptops.

FREESCO, also known as Free Cisco, is intended to be a replacement OS for many proprietary router systems. FREESCO can support no more than ten modems and ten different network cards. If you have more than this, then this is not the router distro for you. FREESCO is small enough to fit on a 1.44MB floppy disk or a RAM chip. If desired, this OS can be installed onto a hard-drive. For minimal function, this distro requires 12MB of RAM and needs an i386 processor or better. For server features, this distro needs 16MB. FREESCO can act as a bridge, router, firewall, and server. FREESCO can support DSL, Dial-up, and leased-line connections. http://www.freesco.org/

Floppyfw has the same requirements as FREESCO (i386, 12MB memory, 1.44MB floppy). The difference is Floppyfw has less features and is more lightweight. Floppyfw can act as a firewall, gateway, and router. This distro supports up to two network cards. Floppyfw can filter packets, log traffic, shape traffic, and act as a DHCP server or store DNS cache. Generally, if you need a distro that is more lightweight than FREESCO, then choose Floppyfw. http://www.zelow.no/floppyfw/

IPCop is specifically designed to be a secure firewall. This distro is supposedly easy to manage and install. http://www.ipcop.org/

IPFire is an out-of-the-box router and firewall. This distro requires at least a 333MHz CPU and 128MB memory. Pakfire is the package manager which allows administrators to add extra software (like anti-virus software). This system can also be a DNS and DHCP server. http://www.ipfire.org/

OpenWrt is a large network distro. This can be referred to as the multi-purpose distro. It can act as a server, firewall, router, bridge, etc. This is still a small and efficient system. This is perfect for hardware that needs to perform a large variety of tasks. Generally, if you want one task to be performed, then admins should try to select a lightweight distro. https://openwrt.org/

Alpine Linux is a lightweight Linux distro, but compared to other network distros, this is a large, heavy-duty distro. Alpine uses GNOME or XFCE and comes with Firefox. Alpine can be used as a router, gateway, firewall, or a server. Alpine is small enough to run on memory alone. Alpine contains security patches and is made to be a secure system. Alpine supports 32 and 64-bit hardware unlike most router and firewall distros. http://alpinelinux.org/

ClearOS is a CentOS-based gateway, workstation, and server distro. ClearOS functions well as a firewall, but its main intended use is as a server. ClearOS is a heavy system packed with many useful features. ClearOS offers antimalware, antiphishing, intrusion detection/prevention, proxy, etc. http://www.clearfoundation.com/

Devil-Linux functions as a router and/or firewall. This distro can be run off of a Live-CD rather than installing on a hard-drive. Devil-Linux is lightweight enough to work on many old computers. This system can also function as a lightweight server. http://www.devil-linux.org/home/index.php

DD-WRT is a distro for wireless routers. This OS can also be a firewall and provide other network services such as Samba. DD-WRT supports WOL (Wake-on-LAN). This means DD-WRT can turn on computers on the network. However, the client's hardware/BIOS/firmware must also support WOL. This can be used to turn on a companies computers minutes before the employees arrive, thus saving time. This distro needs 8MB and some flash storage. https://secure.dd-wrt.com/site/

SmartRouter is a complete desktop system that is intended to act as a router/firewall. The minimum requirements are 175MHz i536 processor, 32MB memory, and 40MB storage.

Untangle is a firewall made by a company named Untangle (hence the distro's name). This Linux distro offers anti-virus, anti-spam, web caching, and many other protective features. A variety of software is available for Untangle including proprietary software. http://www.untangle.com/store/get-untangle/

NOTE: Thanks to @Rob for suggesting that I include Untangle.

MikroTik RouterOS is a firewall/router distro owned by MikroTik. This system is usually found on MikroTik's hardware. However, administrators can install it on their own x86 architectures. Probably the only time this distro would be used is on the proprietary hardware made by MikroTik. Thanks to Vuk Radovic for suggesting MikroTik.

I had many readers contact me and suggest I mention PfSense despite the fact it is a BSD system rather than Linux, so I decided to include it in this article (thank you readers). PfSense is commonly used firewall OS. The system is based on FreeBSD and forked from m0n0wall. This system can also be used as a router, VPN server, DNS, server, and various other network services. PfSense works on Intel and AMD64 architectures and supports high-speed network traffic. PfSense can be used as a full-desktop-firewall system or an embedded-router-system. PfSense is a flexible system; by that, I mean it can be a lightweight or heavy system if the administrator chooses. The minimum requirements include 300MHz CPU and 128MB memory. http://www.pfsense.org/

If you like PfSense, but want something smaller, then I would recommend M0n0wall (thanks readers for suggesting this). M0n0wall is another BSD firewall OS that is based on FreeBSD. M0n0wall can be run off of the LiveCD or installed on a flash-drive. M0n0wall has less features than PfSense and is usually used as an embedded system. http://m0n0.ch/wall/

Administrators are not restricted to using firewall distros for such purposes. "Regular" Linux distros can be used as firewalls, routers, gateways, etc. Doing so requires that certain services be installed and configured and the /etc/network/interfaces configuration file be edited.

NOTE: Obviously, these systems also need at least two network cards (unless otherwise specified here or on the websites documentation).

Various Linux distros have been mentioned for firewalls, gateways, routers, etc. However, some of you may be wondering about Proxy servers. Most of these systems will work well as a proxy. To make a system a proxy, install Squid which supports various network services.

TIP: To make a router/firewall/gateway/etc produce less heat/noise, use a flash-drive or other solid-state-drive instead of a magnetic hard-drive.

NOTE: Feel free to add your own thoughts and suggestions on choosing the right distro in the comments below. Also, the system requirements listed in this article come from the official or development websites of these distros. I am not implying that I agree with these minimal requirements.
 

Attachments

  • slide.jpg
    slide.jpg
    73.7 KB · Views: 114,214
Last edited:


In a few hours, I will add PfSense and m0n0wall as suggested. Thanks G+ community!
 
I've been trying to dabble in Pfsense. It's a little awkward to install, but I managed to get the Web GUI.

I'm also still messing with it in Virtual Box. I'm wondering if a Firewall can effectively protect a host as a virtual machine, or if it can only protect the other VMs.
 
You can host your firewall in a vm. I have seen it done before a few places. As long as routing and such are in place you should be ok.
 
Okay. I wasn't sure how effective that is if the Host OS is still communicated directly with the Network Card. At most, it seems like the VM can just watch and analyze the traffic.

There is probably another way to set this up in VirtualBox with the Network adapters. As you say, I need to have the Routing correct.
 
No experience whatsoever myself, but an OpenBSD box with packetfilter is supposed to be very solid: http://openbsd.org/faq/pf/

pf was also ported to FreeBSD and is part of a base FreeBSD install.

The advantages of *BSD systems is that they are extremely light and fast compared to GNU/Linux - you could run it on an old laptop or desktop which you were about to throw out... or a low cost headless system built from spares, etc. OpenBSD in particular is also security focused.

Another good option would be Debian stable with an iptables firewall: https://wiki.debian.org/DebianFirewall

(set one of these up years ago, but eventually the (crap) hardware gave up)
 

Members online


Latest posts

Top