Menu
A+ A A-

The Hunt For the Ultimate Free Open Source Firewall Distro

I've been a hard-core Untangle fan for several years now, but I recently wanted to explore other firewall options.  Being wrapped around a commercial product, Untangle charges money for its high-end features.  However, I figured since most all those features are covered by the open source community, there must be non-commercial options out there.  I began my hunt for the best free firewall.  I scoured the internet, downloading any and all offerings from 2 principal types of entities: 1. companies with an open source community branch or free non-trial version, and 2. open source community projects ("free as in speech" or free software / paid support biz models).

I tried just about every ISO I could get my hands on.  I thought I had my work cut out for me since I found far more of them than I had expected.  But I did notice some common themes--several of them seemed to share common ancestors / packages (e.g. Squid, Debian, FreeBSD, etc).  Here's a list of what I found along with my impressions.

Untangle
commercial w/ free version
Good
* 64-bit version available
* awe-inspiring web-based GUI
* very easy to setup & get up and running quickly
* free version is very functional--plenty of features for most home networks
* updating is fully automatic

Bad
* must pay for high-end features
* slow boot-up & shutdown times

PFSense

free & open source
Good
* 64-bit version available
* Most feature-rich free firewall distro I've ever used.  You can get it to land space ships on Mars.
* solid performance and stability
* light and nimble--much faster boot-up/shutdown than Untangle
* has a vast following, so the documentation & forums helped me get my head around it

Bad
* Not as simple and easy to understand as Untangle.  You have to put some time & effort into learning it, especially if you're going to use the add-on packages.
* Add-on packages and package updating could be better.  Some add-on packages just don't work very well, and updating a package sometimes broke it.  This situation has improved as the distro has matured, but I wish they would stop listing buggy alpha-level packages in the add-on repository.  While packages like snort and squid behave very well for me; others like modsecurity drive me batty.

IPFire
free & open source
Good
* impressive GUI
* package system allows installing add-on features
* 64-bit version now available

Bad
* The package system was a bit rough around the edges--it was hard to tell what I was installing as there were few package descriptions.

IPCop
free & open source
Good
* solid performer
* one of the more popular and long-running firewall distros

Bad
* IPFire is very similar, and seems further along in development--at least in terms of its web GUI.
* Didn't seem as easy to extend as other distros

VyOS
free & open source fork of Vyatta
Good
* 64-bit version available
* It has a growing fan-base, particularly among network engineer types that prefer router-like, CLI-only environments.
* No GUI usually means a light build and nimble performance.

Bad
* CLI only.  To be totally honest, I didn't give this one much of a chance because I was hunting for distros with web GUIs.  CLI might be fine for some people and under some environments, but why bother when other free options give you a GUI?  To me the whole point of a firewall distro is its web GUI.  Without that, I might as well build my own Linux-based firewall and manually configure the packages.  In its defense, VyOS is considered more of a router distro with firewall features, and not a full-blown UTM distro.

Smoothwall

commercial w/ free version
Good
* 64-bit version available
* excellent GUI
* popular--has a large following

Bad
* Free version doesn't allow easy add-on installation.  You have to hack it a bit to extend functionality.

Endian

commercial w/ free version
Good
* clean, functional GUI
* one of the more refined distros I found
* allows for more config tweaks than Untangle (in the GUI)

Bad
* free version doesn't seem to get updated often
* I couldn't find a 64-bit version
* doesn't seem as extensible as other distros

ClearOS
commercial w/ free version
Good
* 64-bit version available
* clean, functional web GUI
* lots of features & plugins that go beyond firewall functionality

Bad
* free feature set isn't as generous as other distros
* No auto updates for IPS/URL filter.  It looks like updates are part of their commercial offering.  Booo!  What good is a free version that doesn't update?

Zentyal
commercial w/ free demo
Good
* gorgeous web-based GUI
* offers a ton of features--it's a full-blown small biz server

Bad
* full of nag screens asking you to buy commercial versions
* updates are NOT free
* the free version is barely functional--it's actually a demo
* For security reasons I'm not a big fan of this all-in-one approach when it comes to firewalls.

Conclusions
I know.  I know.  What about Monowall?  I briefly looked at that one too, but it seemed to be more of a router distro for embedded devices, and not so much a true firewall.  My goal was to find something with UTM features, something I couldn't find at all in Monowall.  Monowall is worth mentioning, though, since PFSense forked from it.  It's also worth mentioning that the Monowall project has officially ended.

Now for some of my findings and determinations:
* Most commercial w/ free version types worked well out of the box, but were difficult to (freely) extend.  This is probably because the extensions are part of their paid offerings.  They gotta make money somehow, right?  If my priority was getting something up and running quickly or I were building something for a friend or company that wants to self-manage, then I'd go with one of these.  Untangle is by far my top choice in this category.  Its free offering is very generous, and its management GUI is top-notch.
* Most free & open source types took more time & effort to figure out, but were more extendable.  If I had free time to burn on learning the quirks and/or were deploying it for system engineer types (like me), then I'd go this route.  PFSense is my top choice in this category, and is my current firewall of choice.
* RAM is cheap and plentiful these days, so I personally tried to stick with 64-bit offerings.  True...I may not use that much RAM in my home firewall, but it's nice to know I could recommend the same distro to a client building a beast monster firewall.
* A few free & open source distros like IPFire and PFSense had ISOs specifically for headless embedded systems, like Alix boards.  If I had an Alix-based system (I used to), I'd probably build it on PFSense or IPFire.

So long story short...mad props to PFSense and Untangle, and a well-deserved honorable mention to IPFire.

UPDATE - 2013/7/18
A kind reader recommended checking out Sophos (previously known as Astaro) as they recently started offering a free home use version of their UTM.  Finding it very impressive, I summarize my experience below.

Sophos UTM
commercial w/ free home/lite editions
Good
* stunning web-based GUI
* 64-bit version available
* extremely generous feature offering in the home version
* boasts features I haven't seen in other UTMs--e.g. endpoint protection, wireless protection, central management, etc.

Bad
* more features means it's more complex to setup and configure
* configuration is sometimes unintuitive

Sophos is a jaw-dropping UTM, and its free home version license is surprisingly generous.  The feature set and web-based GUI easily place it up there with my other 2 top UTM choices--Untangle and PFSense, so it's certainly worth a try-out.  My criticisms are few and admittedly strict.  At times I found that the configuration process took a somewhat unintuitive approach.  It took some getting used to, and perhaps this is simply because I'm a new user of Sophos.

A example of this sometimes unintuitive approach is when configuring country blocking.  If you enable it for a particular country, it blocks all inbound and outbound traffic by default.  You then have to create exceptions if you want to allow certain traffic in or out.  In my case I want to block just inbound mail (smtp) traffic from numerous countries, but allow all countries to view my internally-hosted website.  I also want to allow outbound web browsing to all countries.  Although it does seem possible, my case doesn't seem very intuitive to configure in Sophos.  I understand the advantage of such a heavy-handed approach; but it could make configuration difficult, especially for a niche feature like country blocking.  However, the fact such high-end features are even present in Sophos's free offering illuminates its deserved acclaims.

Overall I'm very impressed with Sophos.  Its free feature set rivals PFSense (which says a lot), while its beautiful GUI rivals Untangle.  Here's the link to Sophos's generous free offerings: http://www.sophos.com/en-us/products/free-tools.aspx

UPDATE - 2013/9/9
Zero Shell
free & open source
Good
* 64-bit version available
* Seems tweaked for headless and low-end systems.
* Innovative "profile" approach for running off a CD or flash memory device could work for some.

Bad
* The web GUI is hard to use.  I really struggled with finding and configuring even basic settings.
* Documentation is lacking, making it even harder to get it up and running.
* Not as easy as other distros to install on a HDD.  I'm not saying it can't be done.  It's just more tedious a process compared with other distros.

UPDATE - 2015/4/21
OPNSense
free & open source
Good
* Forked from PFSense, one of my absolute top favorites.  Those already familiar with PFSense will feel right at home.  I'm excited to see what the future holds for this distro.
* Clean, re-imagined web GUI
* Nice firmware update system
* 64-bit version available
* Paid support available

Bad
* I couldn't find any add-on packages to extend base functionality.  Perhaps this is coming later, as this is a relatively new player.
* Sometimes the larger fonts of the web GUI made it harder to use.  I know I can zoom out in the browser, and maybe I'm just more used to PFSense.  Yes, I know I'm being very nit-picky.

Post comment as a guest

0 Character restriction
Your text should be more than 10 characters
Load Previous Comments
  • Guest - Matt B.

    Curious what you have settled on. I'm in a similar set of requirements/desires and will be moving/refreshing my setup soon. I'm currently using Smoothwall which I enjoy. The GUI is pretty easy to navigate and use, some useful addons. My biggest 'issues' which are starting to crop up are lack of IPv6, not VLAN aware, and while the QoS works great, it is limited.

    Used to play around with pfSense and much like you, it had pretty much every feature I could want. However it was a chore to configure. And the traffic shaping I could never get working right even after reading numerous tutorials even on their own Wiki/forum.

    Back when I used just basic consumer grade routers I enjoyed using DD-WRT. It was just flexible enough to do what I wanted, pretty easy to configure. Unfortunately the x86 version if it appears to either lack development or is locked behind a sizable paywall and intended for enterprise customers.

  • Guest - Luto

    I am very interested on which hardware you run your firewall solution. I already searched for an affordable network appliance but did not find anything. Do you use a standard pc? Or a server like for the NAS solution (HP Proliant Microserver)?

  • Guest - Robert Chadwick

    Guest - Luto

    Personally, I've tried all kinds of low powered Atom-based computers, and small SSD drives, with varying levels of success. Nowadays, I have an ESXi machine for web and email servers, and I just run it in a virtual machine. It has worked very well for me, and allows easy backups, changes, and rollbacks.

  • Guest - Nnyan

    Guest - Luto

    I buy small SFF machines in eBay ( as long as they have one pcie slot) get a 35w CPU (the model number ends in a T) and I have a kick ass FW machine. I am really find of the Dell Optiplex x90 (390, 790 and 990) as they are cheap. Stick with an i5 or better for the best performance and AES-NI Support which makes a big difference is you VPN.

  • Guest - IPCop Mann

    IPFire now also 64 bit version since 2.19.

  • Guest - Mark

    Nice write up ! did you try simplewall ? it has been on my list to try but haven't got around to it.

    http://www.simplewallsoftware.com/#portfolio

  • Guest - Nnyan

    Guest - Mark

    Simplewall looks great but they don't seem to have much activity. Depending where on their website you download from you can get two versions (simplewall-1.1.1.iso or simplewall-0.0.1.iso). The don't respond to emails and their chat feature seems to be non-functioning most of the time. There is no community forums so despite how "cool" it looks I don't see myself installing this as I really don't trust it

  • Guest - Joe

    Coming from the point of view of someone whom has used it for BPF and OSCPv3, VyOS (and Vyatta) are terrible firewall distros. It is a great routing distro for carrier grade routing, IMHO, (and I used it on HA "routers" with two inbound carrier grade fiber drops @ 10Gbps but the firewall functionality is weird and useless.

  • Guest - Tom

    Guest - Joe

    Hi Joe
    I don't agree that VyOS / Vyatta are "terrible firewall" distros, at all.
    If someone calls it terrible, then he probably made the completely wrong decision.
    VyOS is for Professionals and for sure not for Users which work occasionally every some month with it. But those users probably don't need this stability, freedom and complexity, anyway.
    We use VyOS since years and they work great, are rocket solid and very fast.
    The Firewall works great, too - but it's cumbersome to configure it, because there are no automatic rules for the reverse connections.

    Kind regards, Tom

  • Guest - Nnyan

    Guest - Tom

    Completely agree. VyOS is very powerful and a great tool for pros. A typical user? No a get solution for them.