Review: Security firewall distributions


IPFire is one of the more popular compact distributions with a great interface.

With competition from IPCop, the similarly named IPFire aims to be the ultimate easy-to-use turnkey firewall distribution. Sitting somewhere between a completely free non-commercial offering like IPCop and hybrid free community and commercially supported version like Endian or ClearOS, IPFire doesn't itself provide a hardware appliance option but can be purchased pre-installed on hardware and with professional support through third-party Lighting Wire Labs ( There are various levels of support contract available, and similarly a selection of appliances from compact, low-power mini-servers to a heavy duty rack-mount. Perhaps helping the low-power compact option, IPFire supports ARM as well as x86 hardware. Alternatively hypervisors from VMWare and Xen to Microsoft's Hyper-V and Red Hat's KVM are supported as well.

As with other products here, configuration and management is via a web-interface that is cleanly laid out and provides access to setting up firewall rules, QoS, Wi-Fi access, VPN services, content filtering, intrusion detection, and web filtering based on the popular open-source Squid caching proxy. It also sports its own package update system called Pakfire, that also doubles as a package manager to install new features.

IPFire is actively developed and, at the time of writing, the latest IPFire 2.13 update 75 had just been released.


pfSense is a FreeBSD-based distribution that gives the Linux firewalls a run for their money.

pfSense is a security-focused open-source firewall derived from m0n0wall, itself a firewall-based FreeBSD distribution (and in that sense is the only FreeBSD based distribution covered here among the Linux cohorts). If you're familiar with BSD, ‘pf' is the name of BSD's packet filter system (as opposed to the Linux ‘iptables'), which among other features including bandwidth control and NAT performs packet filtering for firewall duties. Indeed, between FreeBSD and Linux camps, there's much contention about which packet engine is more efficient, versatile and powerful. Ultimately, both are very good at what they do.

Just as Linux can be daunting to uninitiated, FreeBSD is similar and so pfSense provides a customised firewall distribution with a web-based interface so you don't need to get your hands dirty (the pfSense documentation promises you'll never need to use a command line).

And, beyond the standard stateful firewall functions you'd expect, pfSense also includes a few tricks up its sleeve like load balancing, captive portal to force authentication (as with public Wi-Fi hotspots), and its ability to filter connections by the incoming client's OS (for example to allow Linux machines while blocking Windows ones regardless of IP or other firewall rules.)

Beyond this, and much like IPCop, pfSense is a focused on firewall and router duties and so doesn't include optional modules like anti-malware or cloud services like ClearOS and similar commercially-focused products. It does, however, provide commercial support options that include free configuration backup of the server at the pfSense portal, and access to extensive official documentation on making the most of a pfSense install.

Hardware requirements are also quite low, making it possible to install pfSense on low-power servers and on flash media for embedded systems.

All up, it's yet another refined and viable option for a dedicated firewall server that's free to use, with paid support only if you need it.


Smoothwall has made leaps and bounds with its latest 3.0 release, including sporting an improved interface.

Smoothwall is so popular you've probably already heard of it, and not without good reason. Originally a free open-source distribution (as [i]Smoothwall Express[/i]) much like IPCop or IPFire, it later evolved to become an enterprise solution ( with commercial support options and paired hardware appliances.

Smoothwall breaks its products down into three core offerings -- the Web Access Manager (WAM), designed for the roles such as public access and (according to the website) the hospitality industry where the focus is more on bandwidth and application control; the Secure Web Gateway (SWG) with its real-time content filtering and mobile endpoint management features; and Unified Threat Management (UTM), building on SWG with advanced firewall features. The products also sport load balancing, anti-spam and anti-malware, P2P file sharing blocking, and social media control to limit or define the use of social media in the workplace.

In the past Smoothwall's web-interface wasn't quite as attractive as some of the other products covered here, but the most recent version has revamped this and it's now much easier on the eyes and easier to use.

As with other hybrid free and commercially-focused products we're looking at here, you can use Smoothwall Express for free in a production environment supported by your own IT resources, or as a means to test the product meets your needs before opting for commercial support or a hardware appliance.

Tags firewalls

Show Comments