Rack of Ethernet switches.

Firewall Tools

What is a Firewall?

A firewall is a device providing a carefully controlled connection between networks that do not fully trust each other. It has the capabilities of a router, but it makes policy decisions which override the simple logic of IP routing. Packets which would have been forwarded based solely on their destination IP address will be blocked (or perhaps rejected with an ICMP "Destination Unreachable" message) because they are not acceptable to the security policy.

The technology is pretty straightforward, but the market changes rapidly. Companies appear and disapper frequently, products much more so.

With complex products you really can't tell just what is going on inside. The conceptual terms of stateless and stateful packet filter, circuit-layer gateway, and application proxy are helpful for introductory explanations, or as a checklist of capabilities, but only the packet filters are available as products that are precisely defined by those terms. More complex products blend all these capabilities and more while hiding the design details.

It is no longer practical to maintain a meaningful directory of commercial firewall products. So, this page now focuses on open-source firewall components.

Filtering in the Kernel

The kernel, the operating system itself, includes IP filtering capabilities in Linux, BSD, and Solaris. See the Netfilter package and the iptables and related tools ( ip6tables, arptables, ebtables) in Linux, the ipfw tools in BSD, and the Solaris Management Console in Solaris.

Linux Firewall Solutions

Smoothwall is a free open-source Linux distribution. Smoothwall Express provides a firewall designed for ease of installation, configuration, and use even by people with no Linux background. The UK-based company Smoothwall Ltd. develops the open-source software, and also sells software and hardware versions bundled with support for enterprise operations.

Shoreline Firewall, also known as Shorewall, builds upon the Netfilter/iptables system to more easily manage complex configurations.

The Openwall Project is a bundled hardened Linux and firewall product.

Firewall Tools

IPFilter, also known as ipf, is an open-source firewall solution with support in the kernels of FreeBSD, NetBSD, Solaris, and at least some versions of AIX, IRIX, HP-UX, and Tru64.

Packet Filter or simply pf is a stateful packet filtering firewall comparable to Netfilter. It was designed on OpenBSD and has been ported to FreeBSD, NetBSD, Mac OS X, and others.

Circuit-Layer Gateways and More

Squid is a caching proxy supporting HTTP/HTTPS, FTP, and other protocols, enforcing extensive access control.

Socks is a circuit-level gateway.

Home / Small-Office Firewall Products

Linksys D-Link

Linksys and D-Link make some very nice NAT-based firewall products, priced down to US$ 40 or less at home electronics stores. They do NAT/PAT, including static inbound tunnels to interior servers.

Commercial Firewall Vendors

Back to the main Security Page