Menu
A+ A A-

The Hunt For the Ultimate Free Open Source Firewall Distro

I've been a hard-core Untangle fan for several years now, but I recently wanted to explore other firewall options.  Being wrapped around a commercial product, Untangle charges money for its high-end features.  However, I figured since most all those features are covered by the open source community, there must be non-commercial options out there.  I began my hunt for the best free firewall.  I scoured the internet, downloading any and all offerings from 2 principal types of entities: 1. companies with an open source community branch or free non-trial version, and 2. open source community projects ("free as in speech" or free software / paid support biz models).

I tried just about every ISO I could get my hands on.  I thought I had my work cut out for me since I found far more of them than I had expected.  But I did notice some common themes--several of them seemed to share common ancestors / packages (e.g. Squid, Debian, FreeBSD, etc).  Here's a list of what I found along with my impressions.

Untangle
commercial w/ free version
Good
* 64-bit version available
* awe-inspiring web-based GUI
* very easy to setup & get up and running quickly
* free version is very functional--plenty of features for most home networks
* updating is fully automatic

Bad
* must pay for high-end features
* slow boot-up & shutdown times

PFSense

free & open source
Good
* 64-bit version available
* Most feature-rich free firewall distro I've ever used.  You can get it to land space ships on Mars.
* solid performance and stability
* light and nimble--much faster boot-up/shutdown than Untangle
* has a vast following, so the documentation & forums helped me get my head around it

Bad
* Not as simple and easy to understand as Untangle.  You have to put some time & effort into learning it, especially if you're going to use the add-on packages.
* Add-on packages and package updating could be better.  Some add-on packages just don't work very well, and updating a package sometimes broke it.  This situation has improved as the distro has matured, but I wish they would stop listing buggy alpha-level packages in the add-on repository.  While packages like snort and squid behave very well for me; others like modsecurity drive me batty.

IPFire
free & open source
Good
* impressive GUI
* package system allows installing add-on features

Bad
* The package system was a bit rough around the edges--it was hard to tell what I was installing as there were few package descriptions.
* 32-bit only

IPCop
free & open source
Good
* solid performer
* one of the more popular and long-running firewall distros

Bad
* IPFire is very similar, and seems further along in development--at least in terms of its web GUI.
* Didn't seem as easy to extend as other distros

VyOS
free & open source fork of Vyatta
Good
* 64-bit version available
* It has a growing fan-base, particularly among network engineer types that prefer router-like, CLI-only environments.
* No GUI usually means a light build and nimble performance.

Bad
* CLI only.  To be totally honest, I didn't give this one much of a chance because I was hunting for distros with web GUIs.  CLI might be fine for some people and under some environments, but why bother when other free options give you a GUI?  To me the whole point of a firewall distro is its web GUI.  Without that, I might as well build my own Linux-based firewall and manually configure the packages.  In its defense, VyOS is considered more of a router distro with firewall features, and not a full-blown UTM distro.

Smoothwall

commercial w/ free version
Good
* 64-bit version available
* excellent GUI
* popular--has a large following

Bad
* Free version doesn't allow easy add-on installation.  You have to hack it a bit to extend functionality.

Endian

commercial w/ free version
Good
* clean, functional GUI
* one of the more refined distros I found
* allows for more config tweaks than Untangle (in the GUI)

Bad
* free version doesn't seem to get updated often
* I couldn't find a 64-bit version
* doesn't seem as extensible as other distros

ClearOS
commercial w/ free version
Good
* 64-bit version available
* clean, functional web GUI
* lots of features & plugins that go beyond firewall functionality

Bad
* free feature set isn't as generous as other distros
* No auto updates for IPS/URL filter.  It looks like updates are part of their commercial offering.  Booo!  What good is a free version that doesn't update?

Zentyal
commercial w/ free demo
Good
* gorgeous web-based GUI
* offers a ton of features--it's a full-blown small biz server

Bad
* full of nag screens asking you to buy commercial versions
* updates are NOT free
* the free version is barely functional--it's actually a demo
* For security reasons I'm not a big fan of this all-in-one approach when it comes to firewalls.

Conclusions
I know.  I know.  What about Monowall?  I briefly looked at that one too, but it seemed to be more of a router distro for embedded devices, and not so much a true firewall.  My goal was to find something with UTM features, something I couldn't find at all in Monowall.  Monowall is worth mentioning, though, since PFSense forked from it.  It's also worth mentioning that the Monowall project has officially ended.

Now for some of my findings and determinations:
* Most commercial w/ free version types worked well out of the box, but were difficult to (freely) extend.  This is probably because the extensions are part of their paid offerings.  They gotta make money somehow, right?  If my priority was getting something up and running quickly or I were building something for a friend or company that wants to self-manage, then I'd go with one of these.  Untangle is by far my top choice in this category.  Its free offering is very generous, and its management GUI is top-notch.
* Most free & open source types took more time & effort to figure out, but were more extendable.  If I had free time to burn on learning the quirks and/or were deploying it for system engineer types (like me), then I'd go this route.  PFSense is my top choice in this category, and is my current firewall of choice.
* RAM is cheap and plentiful these days, so I personally tried to stick with 64-bit offerings.  True...I may not use that much RAM in my home firewall, but it's nice to know I could recommend the same distro to a client building a beast monster firewall.
* A few free & open source distros like IPFire and PFSense had ISOs specifically for headless embedded systems, like Alix boards.  If I had an Alix-based system (I used to), I'd probably build it on PFSense or IPFire.

So long story short...mad props to PFSense and Untangle, and a well-deserved honorable mention to IPFire.

UPDATE - 2013/7/18
A kind reader recommended checking out Sophos (previously known as Astaro) as they recently started offering a free home use version of their UTM.  Finding it very impressive, I summarize my experience below.

Sophos UTM
commercial w/ free home/lite editions
Good
* stunning web-based GUI
* 64-bit version available
* extremely generous feature offering in the home version
* boasts features I haven't seen in other UTMs--e.g. endpoint protection, wireless protection, central management, etc.

Bad
* more features means it's more complex to setup and configure
* configuration is sometimes unintuitive

Sophos is a jaw-dropping UTM, and its free home version license is surprisingly generous.  The feature set and web-based GUI easily place it up there with my other 2 top UTM choices--Untangle and PFSense, so it's certainly worth a try-out.  My criticisms are few and admittedly strict.  At times I found that the configuration process took a somewhat unintuitive approach.  It took some getting used to, and perhaps this is simply because I'm a new user of Sophos.

A example of this sometimes unintuitive approach is when configuring country blocking.  If you enable it for a particular country, it blocks all inbound and outbound traffic by default.  You then have to create exceptions if you want to allow certain traffic in or out.  In my case I want to block just inbound mail (smtp) traffic from numerous countries, but allow all countries to view my internally-hosted website.  I also want to allow outbound web browsing to all countries.  Although it does seem possible, my case doesn't seem very intuitive to configure in Sophos.  I understand the advantage of such a heavy-handed approach; but it could make configuration difficult, especially for a niche feature like country blocking.  However, the fact such high-end features are even present in Sophos's free offering illuminates its deserved acclaims.

Overall I'm very impressed with Sophos.  Its free feature set rivals PFSense (which says a lot), while its beautiful GUI rivals Untangle.  Here's the link to Sophos's generous free offerings: http://www.sophos.com/en-us/products/free-tools.aspx

UPDATE - 2013/8/20
A reader recommended checking out Open Edgewize (previously known as Sphirewall), which I did...

Open Edgewize
free & open source
Good
* Debian-based, a solid OS to build a firewall distro upon
* uses a kernel hook instead of IP tables, an innovative approach
* 64-bit version available
* I've heard their support is excellent, and commercial support is available
* Excellent traffic statistics and analytics

Bad
* The web-based GUI doesn't seem finished to me.  I think this distro needs a bit more work, esp. the GUI.
* Configuration isn't as intuitive as other distros
* Missing UTM features found in other distros

I struggled a bit with Open Edgewize because the installation and configuration didn't flow as easily as most other distros I tried.  For example, it didn't ask me which network interface was inside and which was outside.  The GUI was suspiciously minimalist--so much so that it doesn't seem finished.  Although Open Edgewize wouldn't be a top choice of mine at the moment, it has the potential to be a solid UTM distro as it continues to mature.

UPDATE - 2013/9/9
Zero Shell
free & open source
Good
* 64-bit version available
* Seems tweaked for headless and low-end systems.
* Innovative "profile" approach for running off a CD or flash memory device could work for some.

Bad
* The web GUI is hard to use.  I really struggled with finding and configuring even basic settings.
* Documentation is lacking, making it even harder to get it up and running.
* Not as easy as other distros to install on a HDD.  I'm not saying it can't be done.  It's just more tedious a process compared with other distros.

UPDATE - 2015/4/21
OPNSense
free & open source
Good
* Forked from PFSense, one of my absolute top favorites.  Those already familiar with PFSense will feel right at home.  I'm excited to see what the future holds for this distro.
* Clean, re-imagined web GUI
* Nice firmware update system
* 64-bit version available
* Paid support available

Bad
* I couldn't find any add-on packages to extend base functionality.  Perhaps this is coming later, as this is a relatively new player.
* Sometimes the larger fonts of the web GUI made it harder to use.  I know I can zoom out in the browser, and maybe I'm just more used to PFSense.  Yes, I know I'm being very nit-picky.

Leave your comments

Post comment as a guest

0 Character restriction
Your text should be more than 10 characters
Your comments are subject to administrator's moderation.
Load Previous Comments
  • Guest - Edward Wong

    Guest - kev

    OPNSense based on older beta version of pfSense, now it's being considered as starting up, there were quite a lot of bugs in OPNsense which requires effort from pfSense team to close them out. I agree that it has better doc, but I will say it's not the time to try out yet, probably need to wait longer for it to become mature.

    from Hong Kong
  • Guest - ER Samson

    How about testing out Sophos Firewall XG? :)

    from Pasig, Metro Manila, Philippines
  • ER Samson - Issue on XG is it has a great UI but wants to be "all things" in your network, managing wireless etc. If you want that then great, otherwise it's too much. And their "registration" process is also a bit challenging in this release.

  • Guest - Edward Wong

    I started to use pfSense since v0.9-1.2, it's solid, my working company at that moment had a lot of issues, like 150-200 ppl sharing 2M+5M ADSL which always saturates them, and the blocking of outside access due to great firewall in China. I picked pfSense and then used their squid + load balancing + OpenVPN, works like a charm, people stopped complains immediately, and the hardware I used was just Pentium 4 + 4 x 100M NICs.
    Learning is not difficult, I understand that the official docs are not doing very well, but the community does providing a lot more idea to us, since I picked pfSense, I passed the management to one of my subordinate, he managed to build and paired up with VPN in a remote site himself by reading forum posts. I played with RouterOS for a couple years later but returned back to pfSense because I feel that they are really doing a good job.

    Currently at my home, I have a Jetway NF9HG-2930 ThinITX board with 4 x Intel i211AT NIC onboard to do a 1G router.

    P.S. By the time I write this post, pfSense 2.3 is out, based on FreeBSD 10.x and......finally, they give up the PBI package installation model, they adopted the official FreeBSD way for package installation, that means no more trouble on package installation!

    from Hong Kong
  • Guest - ByDefault

    Hey, have you checked Nethserver out?

  • Guest - steve

    Hi

    I do have quite some experienece with Sonicwalls and for home use I tried Sophos XG.

    GUI and idea of rule management is great. However very annoying was that I never got it "all" to work flawlessly - there was always something that just wansn't quite right (i.e Windows Updates not working because blocked Malware scan - WTF !?.
    So I had to do quite some workarounds to make it finally all work and then I realized that the Virusscanner wasn't always kicking in and I got fed up - so from my perspective it is not good for home users as there is to much to be done to get it working correctly.

    Now that Pfsense 2.3 is out I might give that a try again. V. 2.2 worked quite ok only installing the packages was a pain.
    Otherwise it is going to be Untangle for me

  • Guest - Robert Chadwick

    Guest - steve

    Interesting. I'd actually consider it a feature blocking certain Windows sites. As Windows 10 spies heavily on it's users, and Microsoft is releasing updates to Windows 7 and 8.1 to do the same things, Blocking Microsoft's telemetry sites is very welcome. I'm afraid to try XG until I'm sure I'm not a guinea pig, and I don't know if blocking Microsoft updates was intentional or not.

  • Guest - Robin

    IPFire is nice, but it's almost totally lacking in ipv6 support (as of version 2), multiple gateways. I've high hopes for v3 though!

  • Guest - Rhandy

    This article is really awesome. At the moment, I am also in a hunt for firewall. I've actually tried maybe more than a half of these. Pfsense is cool in terms of it's speed and hardware compatibility but I am not satisfied about it's IPS/IDS. I've tried implementing the snort package but it blocks a lot of legit websites. I'm into Untangle right now but because I can't see the "Web Application Filter (WAF)" which is present in Barracuda, Fortinet, Sonicwall, I think I will still be looking at Sophos UTM because the author emphasized it's being generous nature.

  • Guest - Gary

    Untangle is now available for home users for $50/year or $5/month. This is the full blown version, for home/personal use. Sure, not free, but at least it is affordable now. It is pretty easy to setup and use.