What is a Firewall?
A firewall is a device providing a carefully controlled connection between networks that do not fully trust each other. It has the capabilities of a router, but it makes policy decisions which override the simple logic of IP routing. Packets which would have been forwarded based solely on their destination IP address will be blocked (or perhaps rejected with an ICMP "Destination Unreachable" message) because they are not acceptable to the security policy.
The technology is pretty straightforward, but the market changes rapidly. Companies appear and disapper frequently, products much more so.
With complex products you really can't tell just what is going on inside. The conceptual terms of stateless and stateful packet filter, circuit-layer gateway, and application proxy are helpful for introductory explanations, or as a checklist of capabilities, but only the packet filters are available as products that are precisely defined by those terms. More complex products blend all these capabilities and more while hiding the design details.
It is no longer practical to maintain a meaningful directory of commercial firewall products. So, this page now focuses on open-source firewall components.
Filtering in the Kernel
The kernel, the operating system itself,
includes IP filtering capabilities in Linux, BSD, and Solaris.
package and the
and related tools
in Linux, the ipfw tools in BSD,
and the Solaris Management Console in Solaris.
Linux Firewall Solutions
Smoothwall is a free open-source Linux distribution. Smoothwall Express provides a firewall designed for ease of installation, configuration, and use even by people with no Linux background. The UK-based company Smoothwall Ltd. develops the open-source software, and also sells software and hardware versions bundled with support for enterprise operations.
also known as
builds upon the Netfilter/
to more easily manage complex configurations.
The Openwall Project is a bundled hardened Linux and firewall product.
IPFilter, also known as ipf, is an open-source firewall solution with support in the kernels of FreeBSD, NetBSD, Solaris, and at least some versions of AIX, IRIX, HP-UX, and Tru64.
Packet Filter or simply pf is a stateful packet filtering firewall comparable to Netfilter. It was designed on OpenBSD and has been ported to FreeBSD, NetBSD, Mac OS X, and others.
Circuit-Layer Gateways and More
Squid is a caching proxy supporting HTTP/HTTPS, FTP, and other protocols, enforcing extensive access control.
Socks is a circuit-level gateway.
Home / Small-Office Firewall ProductsLinksys D-Link
Linksys and D-Link make some very nice NAT-based firewall products, priced down to US$ 40 or less at home electronics stores. They do NAT/PAT, including static inbound tunnels to interior servers.
Commercial Firewall Vendors
Back to the main Security Page