firewall distributions

general = { about, articles, links, projects }     meta = { date-posted: 2006-05-24 }

I have been tooling around with various firewall distributions lately.

After cutting a wide swath at first, I narrowed down to 3 distros that I like.

ipcop, m0n0wall, and pfsense.

m0n0wall is simple, and powerful. It is based off of the FreeBSD 4.x series. It can fit on a compact flash card, and can run on a range of devices from wrap boards, to new pc's. I like the simplicity and performance of m0n0. The feature set is a bit less than the other two I listed.

That does not mean it isn't feature rich. Far from it. It has good stuff like captive portal, ipsec vpn, pptp vpn, vlan support, caching dns forwarder, dhcp server, and easy to use backup/restore functionality. Very solid.

pfSense is a branch off of m0n0wall. It was refactored on the FreeBSD 6.x series. It has more features, but has not yet reached a 'stable' release. I like alot of the features that pfSense has. Features like clustering, PPPoE, better hardware support (wireless and otherwise), as well as including a couple of layer 7 proxies.

pfSense is still a bit buggy. I had some odd issues with squid, and openvpn. They are being actively worked on, and pfSense looks like it will be great once it gets polished, and a stable release is made. The goals of pfSense are a bit different than m0n0wall. They do not strive to run on small devices, and the extra horsepower is being put to use for the L7 proxies and added features.

ipcop is linux based. ipcop was originally a branch/fork of smoothwall, but apparently little of the original code remains. ipcop is really quite polished, and has a few very well integrated layer 7 proxies. There is a large collection of community 'addons' as well, allowing people to extend the base functionality of ipcop to include such things as: inline av scanning, openvpn, antismap, url filtering, l2tp vpn, QoS, and more.

I like the features and polish of ipcop, and appreciate the performance and thoughtfulness of m0n0wall. m0n0wall has fewer layer 7 proxies, and is 'simpler'. ipcop has more features, but only supports a certain number of interfaces, and these interfaces must be assigned during install (as to what type of interface they are).

I would say try out ipcop and m0n0wall, play around in their interfaces, and see which one you prefer. Both have benefits.

I say give pfSense a bit of time to mature. It looks very promising, but I did find it a bit buggy in a few areas.