Did You Know?
Donate to TecMint

LFCS - Linux Foundation Certified SysAdmin - Exam Preparation Guide

10 Useful Open Source Security Firewalls for Linux Systems

Download Your Free eBooks NOW - 10 Free Linux eBooks for Administrators

Being an Nix admin over 5+ years, I always be responsible for the security management of Linux servers. Firewalls plays an important role in securing Linux systems/networks. It acts like an security guard between internal and external network by controlling and managing incoming and outgoing network traffic based on set of rules. These set of firewall rules only allows legitimate connections and blocks those which are not defined.

Linux Firewalls

10 Open Source Linux Firewalls

There are dozens of open source firewall application available for download in the market. Here in this article, we’ve come up with 10 most popular open source firewalls that might be very useful in selecting one that suits your requirements.

1. Iptables

Iptables/Netfilter is the most popular command line based firewall. It is the first line of defence of a Linux server security. Many system administrators use it for fine-tuning of their servers. It filters the packets in the network stack within the kernel itself. You can find a more detailed overview of Iptables here.

Features of IPtables

  1. It lists the contents of the packet filter ruleset.
  2. It’s lightning fast because it inspects only the packet headers.
  3. You can Add/Remove/Modify rules according to your needs in the packet filter rulesets.
  4. Listing/zeroing per-rule counters of the packet filter rulesets.
  5. Supports Backup and restoration with files.

IPtables Homepage
Basic Guide to Linux IPTables Firewall

2. IPCop Firewall

IPCop is an Open Source Linux firewall distribution, IPCop team is continuously working to provide a stable, more secure, user friendly and highly configurable Firewall management system to their users. IPCop provides a well designed web interface to manage the firewall. It’s very useful and good for Small businesses and Local PCs.

You can configure an Old PC as a secure VPN to provide a secure environment over the internet. It’s also keeps some frequently used information to provide better web browsing experience to its users.

Features of IPCop Firewall

  1. Its Color coded Web Interface allows you to Monitor the performance Graphics for CPU, Memory and Disk as well as Network throughput.
  2. It views and auto rotate logs.
  3. Support Multiple language support.
  4. Provides very secure stable and easily implementable upgrade and add on patches.

IPCop Homepage

3. Shorewall

Shorewall or Shoreline Firewall is another very popular Open source firewall specialized for GNU/Linux. It is build upon the Netfilter system built into the Linux kernel that also supports IPV6.

Feature of Shorewall

  1. Uses Netfilter’s connection tracking facilities for stateful packet filtering.
  2. Supports a wide range of routers/firewall/gateway applications.
  3. Centralized firewall Administration.
  4. A GUI interface with Webmin control Panel.
  5. Multiple ISP support.
  6. Supports Masquerading and port forwarding.
  7. Supports VPN

Shorewall Homepage
Shorewall Installation

4. UFW – Uncomplicated Firewall

UFW is the default firewall tool for Ubuntu servers, it is basically designed to lesser the complexity of the iptables firewall and makes it more user friendly. A Graphical user interface of ufw, GUFW is also available for Ubuntu and Debian users.

Features of UFW

  1. Supports IPV6
  2. Extended Logging options with On/Off facility
  3. Status Monitoring
  4. Extensible Framework
  5. Can be Integrated with Applications
  6. Add/Remove/Modify Rules according to your needs.

UFW Homepage
GUFW Homepage
UFW Installation

5. Vuurmuur

Vuurmuur is another powerful Linux firewall manager built or manage iptables rules for your server or network. At the same time its very user friendly to administrate, no prior iptables working knowledge required to use Vuurmuur.

Features of Vuurmuur

  1. Support IPV6
  2. Traffic shaping
  3. More advanced Monitoring features
  4. Real time monitoring connection and bandwidth usage
  5. Can be easily configured with NAT.
  6. Have Anti-spoofing features.

Vuurmuur Homepage
Vuurmuur Flash Demos

6. pfSense

pfSense is another Open Source and a very reliable firewall for FreeBSD servers. Its based on the concept of Stateful Packet filtering. It offers wide ranges of feature which is normally available on expensive commercial firewalls only.

Features of pfsense

  1. Highly configurable and upgraded from its Web – based interface.
  2. Can be deployed as a perimeter firewall, router, DHCP & DNS server.
  3. Configured as wireless access point and a VPN endpoint.
  4. Traffic shaping and Real Time information about the server.
  5. Inbound and Outbound load balancing.

pfSense Homepage

7. IPFire

IPFire is another open source Linux based firewalls for Small Office , Home Office (SOHO) environments. Its designed with modularity and highly flexibility. IPfire community also took care of Security and developed it as a Stateful Packet Inspection(SPI) firewall.

Features of IPFire

  1. Can be deployed as a firewall, a proxy server or a VPN gateway.
  2. Content filtering
  3. Inbuilt Intrusion detection system
  4. Supports through Wiki, forums and Chats
  5. Support hypervisors like KVM, VmWare and Xen for Virtualization environment.

IPFire Homepage

8. SmoothWall & SmoothWall Express

SmoothWall is an Open Source Linux firewall with a highly configurable Web based interface. Its Web based interface is know as WAM (Web Access manager). A freely distributable version of SmoothWall is know as SmoothWall Express.

Features of SmoothWall

  1. Supports LAN, DMZ, and Wireless networks, plus External.
  2. Real Time content filtering
  3. HTTPS filtering
  4. Support proxies
  5. Log viewing and firewall activity monitor
  6. Traffic stats management on per IP, interface and visit basis
  7. Backup and restoration facility like.

SmoothWall Homepage

9. Endian

Endian firewall is another Stateful packet Inspection concept based firewall which can be deployed as routers, proxy and Gateway VPN with OpenVPN. Its originally developed from IPCop firewall which is also a fork of Smoothwall.

Features of Endian

  1. Bidirectional firewall
  2. Snort Intrusion prevention
  3. Can secure web server with HTTP &FTP proxies, antivirus and URL blacklist.
  4. Can secure Mail servers with SMTP and POP3 proxies, Spam Auto-learning, Greylisting.
  5. VPN with IPSec
  6. Real time Network traffic logging

Endian Homepage

10. ConfigServer Security Firewall

Last, But not the last Configserver security & firewall. It’s a cross platform and a very versatile Firewall, it’s also based on the concept of Stateful packet inspection (SPI) Firewall. It supports almost all Virtualization environments like Virtuozzo, OpenVZ, VMware, XEN, KVM and Virtualbox.

Features of CSF

  1. Its daemon process LFD( Login failure daemon) checks for login failures of sensitive servers like ssh, SMTP, Exim, Imap,Pure & ProFTP, vsftpd, Suhosin and mod_security failures.
  2. Can configure email alerts to notify if something goes unusual or detect any kind of intrusion on your server.
  3. Can be easily integrated popular web hosting control panels like cPanel, DirectAdmin and Webmin.
  4. Notifies excessive resource user and suspicious process via email alerts.
  5. Advanced Intrusion detection system.
  6. Can protect your linux box with the attacks like Syn flood and ping of death.
  7. Checks for exploits
  8. Easy to start/restart/stop & lots more

CSF Homepage
CSF Installation

Other than these Firewalls there are many other firewalls like Sphirewall, Checkpoint, ClearOS, Monowall available in the web to secure your Linux box. Please let the world know which is your favourite firewall for your Nix box and leave your valuable suggestions and queries below in the comment box. I’ll come with another interesting article soon, till then stay healthy and connected with Tecmint.com.

I am a linux server admin and love to play with Linux and all other distributions of it. I am working as System Engineer with a Web Hosting Company.

Your name can also be listed here. Work as a Paid freelancer/writer at TecMint.
Download Free eBooks
Advanced Bash-Scripting Guide
Linux Bible
A Newbie's Getting Started Guide to Linux
Ubuntu Linux Toolbox: 1000+ Commands

22 Responses

  1. Nuno Silva says:

    So, what’s your favourite and why?
    (currently i’m using pfSense (still the version 1.2.3)

  2. Rommel Kapunan says:

    i have tried iptables, endian, ipcop, clearOS. but sticked w/ pfire for the last two years…u

  3. knut says:


    i’m wondering if anyone of these really deliver any useful content inspection. Too me it seems like most of these FW’s do stateful inspection, packet header inspection and so on. But is that really enough ? not seeing deeper into the trafic, must be considered a major weakness in any firewall solution. It seems like the next generation firewalls will have a content inspection on a much higher level. And toady it will most certainly be needed one should think.


  4. Taikedz says:

    My question is – do you use one of them, or a combination of several? Do they conflict?

    Since they each have a mission to block or allow traffic, I can see these interfering with eachother’s policies, so only use one. If for example using anything other than IPTables, one would have to open up IPTables completely and then allow the other software to manage the ports and access.

    Is that how it goes?

  5. David John says:

    I have tried most of them but very recently I heard a heard good reviews about this modsec.. https://waf.comodo.com/. I would like to give it a try and guys lets try this for a better web security.

  6. simplewall says:

    Guys am the author of Simplewall.

    Simplewall is integrated:

    1. Content Filter.
    2. IPS(intrusion protection system).
    3. OpenVPN.
    & much more .

    lets try this. Your feedbacks will help us to make it better & better.

    • Ravi Saive says:

      Dear Author,

      I suggest you to write a review about your product that would cover description, features and installation at tecmint.com for maximum exposure of your product..

  7. Bhanuprasad Kunde says:

    Hi Geeks,

    I am Bhanuprasad Kunde. I am working as Sr. Tech. support engineer. I have several times installed CSF firewall as well as APF firewall on our clients web-servers and I have that CSF Firewall is very secured then APF.


  8. Pratheep says:


    Can you please recommend a open source Linux firewall cum router which is having below features. We need for Centos6.

    1. Need to support three ISP with load balancing and fail over
    2. Need to handle all content filtering without proxy(as like hardware firewall). Proxy is controlling only http traffic.
    3. Content filtering with category (Need to block sports, news, social category sites instead of defining the exact URL)
    4. NAT

    I’ll be thankful if you can suggest.

  9. John S says:

    This post is a little old now but…….

    So any out there that particularly excel at prioritizing VOIP traffic? At my company we are not really satisfied with lower tier Sonicwalls and find there is a gap cost wise between lower cost and higher cost products for our small to medium sized customers.

    In short, I think we are going to start building our own firewalls for our customers.

    • A Gallo says:

      a month later… reply.

      Take a look at Sophos UTM. I have been playing around with different solutions and I am absolutely amazed at the free version. My original goal was to find a solid web filter and played with pfSense, and Untangle. Neither offered what Sophos has; granted for home use its free but for business I do not know how it compares.

      Sophos 9.2
      Running on:
      2GB DDRII
      Intel Atom D510 1.66GHz DualCore

      (actually its a Cisco NSS322)

  10. Thorben Kaufmann says:

    Sophos is a Limeted from UK. I don’t trust any comercial companies from GB or USA. And furthermore their headquarter in Germany is in Wiesbaden: Thats the new big-knot for NSA spying. I think it would be better you had NO protection than by a company with that footprint!

    Maybe when you trust MS, Apple, Oracle, Intel, NSA, BND, GCHQ and all other misanthropists .. thats ok for use.
    I prefer setting up and compiling my own cascaded castle with sourcecode and engines I trust. Maybe that’s lot of work – yes it is – but I don’t like to spend my money for dictators and criminal gangs like listed above! Nevermore!

  11. Michael says:


    Configserver, UFW, Shorewall… are nothing but front ends to make using iptables easier.

    There is only ONE firewall on LINUX – iptables.

    Everything else is a front end to iptables. There are more front ends such as Arno’s firewall, KISS etc.

    PfSense is a BSD firewall – nothing to do with Linux.

    Evidently, half baked knowledge is a wonderful thing.

  12. Ambesh says:

    in my small network i want to block few selected websites and application like torrent downloader….plz suggest me few open source firewalls which can do my work perfectly. i have CentOS 6.3 in admin PC and rest PC are windows.

  13. Squidblacklist.org is the worlds leading publisher of native acl blacklists tailored specifically for Squid proxy, and alternative formats for all major third party plugins as well as many other filtering platforms. Including SquidGuard, DansGuardian, and ufDBGuard, as well as pfSense and more.

    There is room for better blacklists, we intend to fill that gap.

    It would be our pleasure to serve you.


    Benjamin E. Nichols

  14. vijay says:

    hi , i want block not to uploding my files to internet . like pdf ,ppt, doc, kind of files. users not allow organigation classified information files to gmail attchments . i tried every possible way some of opensource firewalls , but i could not get this kind of policy please help me out with open source firewall and linux.

  15. Nix says:

    All you need is to type these two commands in a terminal emulator.

    No need to install third party firewalls.

    sudo ufw enable
    sudo ufw default deny

Leave a Reply

This work is licensed under a (cc) BY-NC | TecMint uses cookies. By using our services, you comply to use of our cookies. More info: Privacy Policy.
© 2012-2014 All Rights Reserved.