Japanatron Logo

I've been a hard-core Untangle fan for several years now, but I recently wanted to explore other firewall options.  Being wrapped around a commercial product, Untangle charges money for its high-end features.  However, I figured since most all those features are covered by the open source community, there must be non-commercial options out there.  I began my hunt for the best free firewall.  I scoured the internet, downloading any and all offerings from 2 principal types of entities: 1. companies with an open source community branch or free non-trial version, and 2. open source community projects ("free as in speech" or free software / paid support biz models).

I tried just about every ISO I could get my hands on.  I thought I had my work cut out for me since I found far more of them than I had expected.  But I did notice some common themes--several of them seemed to share common ancestors / packages (e.g. Squid, Debian, FreeBSD, etc).  Here's a list of what I found along with my impressions.

Untangle
commercial w/ free version
Good
* 64-bit version available
* awe-inspiring web-based GUI
* very easy to setup & get up and running quickly
* free version is very functional--plenty of features for most home networks
* updating is fully automatic

Bad
* must pay for high-end features
* slow boot-up & shutdown times

PFSense

free & open source
Good
* 64-bit version available
* Most feature-rich free firewall distro I've ever used.  You can get it to land space ships on Mars.
* solid performance and stability
* light and nimble--much faster boot-up/shutdown than Untangle
* has a vast following, so the documentation & forums helped me get my head around it

Bad
* Not as simple and easy to understand as Untangle.  You have to put some time & effort into learning it, especially if you're going to use the add-on packages.
* Add-on packages and package updating could be better.  Some add-on packages just don't work very well, and updating a package sometimes broke it.  This situation has improved as the distro has matured, but I wish they would stop listing buggy alpha-level packages in the add-on repository.  While packages like snort and squid behave very well for me; others like modsecurity drive me batty.

IPFire
free & open source
Good
* impressive GUI
* package system allows installing add-on features
* 64-bit version now available

Bad
* The package system was a bit rough around the edges--it was hard to tell what I was installing as there were few package descriptions.

VyOS
free & open source fork of Vyatta
Good
* 64-bit version available
* It has a growing fan-base, particularly among network engineer types that prefer router-like, CLI-only environments.
* No GUI usually means a light build and nimble performance.

Bad
* CLI only.  To be totally honest, I didn't give this one much of a chance because I was hunting for distros with web GUIs.  CLI might be fine for some people and under some environments, but why bother when other free options give you a GUI?  To me the whole point of a firewall distro is its web GUI.  Without that, I might as well build my own Linux-based firewall and manually configure the packages.  In its defense, VyOS is considered more of a router distro with firewall features, and not a full-blown UTM distro.

Smoothwall

commercial w/ free version
Good
* 64-bit version available
* excellent GUI
* popular--has a large following

Bad
* Free version doesn't allow easy add-on installation.  You have to hack it a bit to extend functionality.

Endian

commercial w/ free version
Good
* clean, functional GUI
* one of the more refined distros I found
* allows for more config tweaks than Untangle (in the GUI)

Bad
* free version doesn't seem to get updated often
* I couldn't find a 64-bit version
* doesn't seem as extensible as other distros

ClearOS
commercial w/ free version
Good
* 64-bit version available
* clean, functional web GUI
* lots of features & plugins that go beyond firewall functionality

Bad
* free feature set isn't as generous as other distros
* No auto updates for IPS/URL filter.  It looks like updates are part of their commercial offering.  Booo!  What good is a free version that doesn't update?

Zentyal
commercial w/ free demo
Good
* gorgeous web-based GUI
* offers a ton of features--it's a full-blown small biz server

Bad
* full of nag screens asking you to buy commercial versions
* updates are NOT free
* the free version is barely functional--it's actually a demo
* For security reasons I'm not a big fan of this all-in-one approach when it comes to firewalls.

Conclusions
I know.  I know.  What about Monowall?  I briefly looked at that one too, but it seemed to be more of a router distro for embedded devices, and not so much a true firewall.  My goal was to find something with UTM features, something I couldn't find at all in Monowall.  Monowall is worth mentioning, though, since PFSense forked from it.  It's also worth mentioning that the Monowall project has officially ended.

Now for some of my findings and determinations:
* Most commercial w/ free version types worked well out of the box, but were difficult to (freely) extend.  This is probably because the extensions are part of their paid offerings.  They gotta make money somehow, right?  If my priority was getting something up and running quickly or I were building something for a friend or company that wants to self-manage, then I'd go with one of these.  Untangle is by far my top choice in this category.  Its free offering is very generous, and its management GUI is top-notch.
* Most free & open source types took more time & effort to figure out, but were more extendable.  If I had free time to burn on learning the quirks and/or were deploying it for system engineer types (like me), then I'd go this route.  PFSense is my top choice in this category, and is my current firewall of choice.
* RAM is cheap and plentiful these days, so I personally tried to stick with 64-bit offerings.  True...I may not use that much RAM in my home firewall, but it's nice to know I could recommend the same distro to a client building a beast monster firewall.
* A few free & open source distros like IPFire and PFSense had ISOs specifically for headless embedded systems, like Alix boards.  If I had an Alix-based system (I used to), I'd probably build it on PFSense or IPFire.

So long story short...mad props to PFSense and Untangle, and a well-deserved honorable mention to IPFire.

UPDATE 1
A kind reader recommended checking out Sophos (previously known as Astaro) as they recently started offering a free home use version of their UTM.  Finding it very impressive, I summarize my experience below.

Sophos UTM
commercial w/ free home/lite editions
Good
* stunning web-based GUI
* 64-bit version available
* extremely generous feature offering in the home version
* boasts features I haven't seen in other UTMs--e.g. endpoint protection, wireless protection, central management, etc.

Bad
* more features means it's more complex to setup and configure
* configuration is sometimes unintuitive

Sophos is a jaw-dropping UTM, and its free home version license is surprisingly generous.  The feature set and web-based GUI easily place it up there with my other 2 top UTM choices--Untangle and PFSense, so it's certainly worth a try-out.  My criticisms are few and admittedly strict.  At times I found that the configuration process took a somewhat unintuitive approach.  It took some getting used to, and perhaps this is simply because I'm a new user of Sophos.

A example of this sometimes unintuitive approach is when configuring country blocking.  If you enable it for a particular country, it blocks all inbound and outbound traffic by default.  You then have to create exceptions if you want to allow certain traffic in or out.  In my case I want to block just inbound mail (smtp) traffic from numerous countries, but allow all countries to view my internally-hosted website.  I also want to allow outbound web browsing to all countries.  Although it does seem possible, my case doesn't seem very intuitive to configure in Sophos.  I understand the advantage of such a heavy-handed approach; but it could make configuration difficult, especially for a niche feature like country blocking.  However, the fact such high-end features are even present in Sophos's free offering illuminates its deserved acclaims.

Overall I'm very impressed with Sophos.  Its free feature set rivals PFSense (which says a lot), while its beautiful GUI rivals Untangle.  Here's the link to Sophos's generous free offerings: http://www.sophos.com/en-us/products/free-tools.aspx

UPDATE 2
Zero Shell
free & open source
Good
* 64-bit version available
* Seems tweaked for headless and low-end systems.
* Innovative "profile" approach for running off a CD or flash memory device could work for some.

Bad
* The web GUI is hard to use.  I really struggled with finding and configuring even basic settings.
* Documentation is lacking, making it even harder to get it up and running.
* Not as easy as other distros to install on a HDD.  I'm not saying it can't be done.  It's just more tedious a process compared with other distros.

UPDATE 3
OPNSense
free & open source
Good
* Forked from PFSense, one of my absolute top favorites.  Those already familiar with PFSense will feel right at home.  I'm excited to see what the future holds for this distro.
* Clean, re-imagined web GUI
* Nice firmware update system
* 64-bit version available
* Paid support available

Bad
* I couldn't find any add-on packages to extend base functionality.  Perhaps this is coming later, as this is a relatively new player.
* Sometimes the larger fonts of the web GUI made it harder to use.  I know I can zoom out in the browser, and maybe I'm just more used to PFSense.  Yes, I know I'm being very nit-picky.

Related Articles

FreeNAS - Bi-Directional Rsync...

Go to /root on 1st server. ssh root@server1 cd /root FreeNAS OS drive is mounted read-only, so mount it RW. mount -o rw / Generate an RSA key & leave the ...

The Hunt for the Ultimate Blue...

I'm obsessed with bluetooth.  So much so that I've been hunting for heaven's own pair of bluetooth headphones for my Tokyo subway commutes.  I'm already on my 5...

Netgear ReadyNAS - Disturbing ...

I have a Netgear ReadyNAS NV+ and have loved everything about it up until now.  I recently enabled password-protected FTP access to 1 share, opened a port in my...

HP Universal Print Driver - Sl...

PROBLEMRecently I switched a number of networked HP printers (Laserjet P4515n) to the universal print driver because the model-specific print driver was crashin...