Top 5 Best Linux Firewalls

by Ramesh Natarajan on February 15, 2010

As part of the contest we conducted recently, we got 160+ comments from the geeky readers who choose their favorite firewall.

Based on this data, the top spot goes to.. drum roll please..

iptables

If you are new to any of the top 5 firewalls mentioned here, please read the rest of the article to understand more about them.

1. Iptables

iptables is a user space application program that does packet filtering, network address translation (NAT), and port address translation (PAT).  iptables is for IPv4.  ip6tables is for IPv6.

iptables needs kernel with ip_tables packet filter (including Linux kernel 2.4.x and 2.6.x). Using iptables you can view, add, remove or modify the rules in the packet filter ruleset.

2. IPCop

IPCop is for small-office and home-office users. This is a Linux firewall distribution, that requires a separate low power PC to run the software. You can configure the firewall rules from a friendly web interface. This is a stateful firewall based on Linux netfilter.

You can take an old PC and convert it to a secure internet application with IPCop, which will secure the home/small-office network from internet and also improve web browser performance by keeping some frequently used information.

3. Shorewall

Shorewall firewall’s tag-line is: iptables made easy. It is also known as “Shoreline Firewall”. It is built upon the iptables/ipchains netfilter system.

If you have hard-time understanding the iptables rules, you should try shorewall, as this provides a high level abstraction of iptables rules using text files.

Shorewall contains the following packages:

  • Shorewall – Helps to create ipv4 firewall
  • Shorewall6 – Helps to create ipv6 firewall
  • Shorewall-lite – Helps to administer multiple ipv4 firewalls
  • Shorewall6-lite. Helps to administer multiple ipv6 firewalls

Additional information about shorewall:

4. UFW – Uncomplicated Firewall

UFW is a command line program that helps manage the netfilter iptables firewall. This provides few simple commands to manage iptables. Gufw is a graphical interface for the UFW that is used on Ubuntu distribution. It is very intuitive and easy to manage your iptables firewall using Gufw. You can run Gufw on any Linux distribution that has Python, GTK and ufw.

To allow ssh access in UFW you have to do the following. It’s that easy.

$ sudo ufw allow ssh/tcp

5. OpenBSD and PF

PF stands for packet filter. PF is licensed under BSD and developed on OpenBSD. PF firewall is installed by default on OpenBSD, FreeBSD, NetBSD.

PF does the following.

  • Packet Filtering
  • NAT
  • Traffic redirection (port forwarding)
  • Packet Queueing and Prioritization
  • Packet Tagging (Policy Filtering)
  • Excellent log capabilities

Additional information about PF:

Additional Firewall Software

Following are additional firewalls mentioned by readers along with the total number of votes it received.

  • CheckPoint FireWall-1 5
  • pfsense 5
  • Firestarter 5
  • Netfilter 4
  • SmoothWall Express 3
  • Guarddog 3
  • ipchain 3
  • Endian 2
  • Susefirewall 1
  • Cisco ASA/PIX 1
  • ClearOS 1
  • APF 1
  • Firewall Builder 1
  • Auto firewall in Puppy Linux 1
  • Drawbridge 1
  • Monowall 1
  • Firehol 1
  • SuSEfirewall2 1
  • Plesk 1

Linux Sysadmin Course Linux provides several powerful administrative tools and utilities which will help you to manage your systems effectively. If you don’t know what these tools are and how to use them, you could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is to help you understand system administration tools, which will help you to become an effective Linux system administrator.
Get the Linux Sysadmin Course Now!

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 14 comments… read them below or add one }

1 Nackox February 15, 2010 at 7:35 am

These are the most heard firewallas I guess, and iptables, is sure the best knowledgeable in the lista, but right now I’m testing Vuurmuur (on Debian). Its really a nice and simple frontend to netfilter and a powerful firewall manager built on top of iptables

2 saymoo February 15, 2010 at 8:42 am

Sorry, but this list is rubbish. Most of the list are not firewalls, but firewall managers.
E.g. Shorewall, UFW, and IPCOP, make USE of NETFILTER/IPTABLES, and only provide a gui of some sort to configure the real firewall (again NETFILTER/IPTABLES).
Without IPTABLES those three won’t function, and are dull gui’s without use. IPTABLES however does function on it’s own (config file no gui needed).

So, clear those three out, and then you have a list with firewalls. ooh wait.. PF is not available under Linux, only under BSD’s. So clear that one out too..

so the only firewall left on the list is IPTABLES, not much a list. Unless you count and add IPCHAINS to the list. (pre iptables firewall)

Facts are facts

3 morgan February 15, 2010 at 3:05 pm

The best good console based gui for iptables I have seen is

Vuurmuur:-

http://www.vuurmuur.org/trac/wiki/Features

Screenshots – http://www.vuurmuur.org/trac/wiki/ScreenShots

I use it to share an ADSL modem (ppp0) with the rest of the house, it has most of the advanced features that fwbuilder gives you, but no need for X or any need for iptables knowledge.

4 rizlox February 17, 2010 at 12:11 pm

I quote saymoo, and also why the hell Checkpoint is in the list? It is totally closed, very expensive product, yes it’s based on linux like thousands of commercial products but I don’t see the point including in the list… Also the management console runs only on windows!

5 Gael February 18, 2010 at 2:36 am

I agree with saymoo and rizlox, this is not a good list as what is listed here are front end to edit netfilter and none open source or strictly linux firewall …

6 Arlequín February 18, 2010 at 8:58 am

Hello,

I use Arno’s IPTABLES Firewall Script at home.

Regards.

7 TejasDMT January 12, 2011 at 7:05 am

You have mentioned Checkpoint and IPtables where is the ASTARO linux based firewall in this listing. Easy to compatmentalize and has NAT, IDS and Packet rules in place as well. Free for HOME use although would be willing to pay a small annual fee to keep full benefits. Web interface to manage and has excellent throughput. Home users or small business could use a border router with ACLs and/or a Netgear (or eqivalent) in front of Astaro system which would almost provide enterprise equivalent system at very moderate prcing. Couple this with Windows Firewall or other on local workstation and you would have a reasonable secure environment ot work with.

8 kurt April 11, 2011 at 8:55 am

I’m using GBWare it is not bad

9 Danny January 15, 2012 at 9:56 pm

I agree. So far you have only listed one true firewall. Iptables. The rest are just GUIs that use iptables for those who do not understand the iptables source.

10 buruguduystunstugudunstuy February 29, 2012 at 2:55 am

since there have been a mention of ClearOS, why not throw Zentyal in there. Untangle one hell of a beast, btw.

11 Mark May 28, 2012 at 12:24 am

Ipcop’s current stable version is 2.0.4

12 edwin July 16, 2012 at 6:57 pm

is there any suggestion of firewall that suitable for school.

13 Vermuth March 12, 2013 at 6:44 pm

Thanks, very interesting

14 steve August 22, 2014 at 1:29 pm

This blog is result of how Linux philosophy affect users and then the same users produce something like this appearance ! The whole Linux philosophy is wrong ! Put the user in control and not other way around ! Who says that app in Linux can not sniff record and do some other nasty tasks ? Yes Linux is secure in terms how can not be exploited and crashed like windows can be but all other threats are still the threat anyway and some firewall that monitors system app behavior and block unwanted connections is required ! We have strong distro firewalls but on the other hand we do not have single strong firewall on Linux Desktop OS ? Why not ? Not needed ? I don’t agree i like be in control of system not other way around ! Something like Comodo firewall would be very god solutions ! And description of Linux app is weird and crazy when using synaptic package manager with bunch a library’s that only confuse ! Give simple name of app and description so the user will know what it is ! Like i said the whole philosophy of Linux is weird !!! On win i know exactly which app is doing what and how is networked to internet and backwards ! On Linux something like that is not needed ? So why then distro firewalls ??? Do not trust absolute no one ! Who said that NSA isnt developing some Linuxes and then post it as virgin OS for free to user ? And others also ? Where is control in user hands ? Do we rely must become developers to be secure ? I do not trust Win and win app so i control every corner of win and i like to do so that in Linux also !!!

Leave a Comment

Previous post:

Next post: