This is the Fastest review EVER of 5 Linux firewall distributions.*

*fastest review by this author.

I’ve got a P3 500MHz PC w/ 192MB of RAM and a 1GB Transcend Flash IDE module that I’ve been running as a Linux-based IPCop firewall platform for around the last two years.  It’s been running IPCop after testing out m0n0wall, SmoothWall, pfSense and IPCop.  pfSense impressed me, but wasn’t quite polished enough for me.  m0n0wall and SmoothWall had their various problems with the current releases back then, and IPCop won my vote by default.

Two years have passed since then, lets see if there’s anything different this time around.

Here are my personal criteria for gauging the usefulness of a Linux firewall:

1.  Ease of installation without reading the instructions.
2.  How “friendly” and “snazzy” the WebGUI interface is.
3.  Has an easy to use or install OpenVPN server.
4.  Print server integration difficulty. 

ClarkConnect logoClarkConnecthttp://www.clarkconnect.com/
I tried Community Edition 4.1 released on 04/18/2007.  ClarkConnect (hereby known as CC) to be a trimmed down Redhat distribution with firewall gui tacked on.  Installation took about 1.5 hours reading ZERO documentation.  Installation would have gone considerably faster if I had read instructions.  I’m doing this for fun.  CC can actually use better hardware than the rest comparatively, for sure.  WebGUI looked great, but was very slow, updating was extremely slow.  Strangely, it was using apt-get (according to top while connected via SSH into the machine) to update the system – what is wrong with YUM? ClarkConnect appears to be the most full-featured firewall-oriented distributions.  This has VERY slick integration with the CC website.  DynDNS service, updating monitoring, security audits, etc – but for a price.  OpenVPN installation as easy as 5 clicks in the WebGUI.  Print Server was just as easy to install.  Color me impressed.

Pros- Slick website, full-featured, enterprise capable.  Print server built in!
Cons- Requires a fast PC, installation was moderately hard.

IPCop logoIPCophttp://www.ipcop.org/
I like IPCop but it’s not quite exactly what I’m looking for.  It’s a firewall first, and doesn’t really do anything else other than slap a usable WebGUI on top of iptables.  It’s very stable, and the graphs are terrific and informative.  Lots of people use IPCop.  It’s got the Ubuntu-effect going on in their forums – lots of people use it, lots of people HELP you for FREE on their forums.  To get a print server running requires some serious hacking as far as I can tell.  OpenVPN is not as bad, there is a plugin, which will actually integrate into the WebGUI.

Pros:  Good support is available because so many people use it.
Cons:  Lack of printing ability.  OpenVPN install requires some hacking. 

m0n0wall logom0n0wallhttp://m0n0.ch/wall/
The 1.231 version image failed to boot properly on my testbed.  It came up and the normal boot-up kernel text flew across the screen but then a message popped up saying it was going to reboot in 15 seconds.  Perhaps it is because I had some hardware that was unsupported, but I have used it in the past on the same hardware.  I will endorse the usage of m0n0wall if you ever think of buying a Soekris, PC Engines WRAP or perhaps even a RouterBoard, this is the distribution tailored specifically for these platforms.

m0n0wall did not finish testing, and unfortunately I did not have time to attempt resolving this issue. 

SmoothWall logoSmoothWallhttp://www.smoothwall.org/
I am SO impressed by SmoothWall 3.0 Express.  It oozes with “gee, that’s smart” or “wow!” when I moved from one portion of the WebGUI to another.  Such as real-time monitoring of IM conversations if the IM Proxy service (totally transparent to the user) is enabled (VERY big brother-ish ala dsniff), a Java SSH client, my.SmoothWall website integration which is similar to ClarkConnect’s website integration, real-time graphing of network traffic, and the list goes on and on.  The installation was very easy, and installation of a print server using Samba is possible.  SSH access easy, just one checkmark.  A Java-based SSH client is available right inside the WebGUI – very nice addition!  Found a terrific mod that goes and checks the signal strength of my Motorola cable modem (many others are supported) and creates a graph of it.  Terrific!  Now I can nail my ISP when signal strength dies!  This is FAR better than when I tried the original release of 3.0 (or was it an RC?) and it had a terrible “DHCP on RED” bug that made it impossible for me to use “out of the box.”

Pros:  Great Modding Community, adding new features easily along with a forum that has walkthroughs for installing Samba.  The GUI is very robust.
Cons:  Printing and OpenVPN not installed out of the box, but these are easily fixed. 

pfSense logopfSense - http://www.pfsense.com/ 
I tested the 1.2 RC2 version of pfSense.  I am rather interested in seeing what has changed since the 0.9 releases.  Oh… it’s nice.  DMZ works now, which previously did not work properly for me.  Still a little “techie” required to figure out how to get it online.  Ethernet interfaces are presented in a list (i.e. fxp0, rl0) which unless you know what vendor equates to which interface name, you need to guess which is which.  This is in stark contrast to other firewall distributions (SmoothWall/IPCop) which show the full name of the adapter instead of a driver name.  This is not the friendliest way of doing things.  A pseudo SSH tool is available in the GUI – just type your command into a text box, and the output is shown on the WebGUI.  VPN was the easiest to get working in this distribution.  This distribution does not use the common color-oriented user friendly way of configuring the network segments, (i.e. GREEN/RED) instead it uses the better known LAN/WAN combination and allows you to rename the interfaces to whatever you would like to use.  pfSense has come a long way in a short period of time.

Pros:  Nice WebGUI, graphs look better than most, full-featured and doesn’t require top-end software.
Cons:  Does not have any mods that I am aware of or can find.

Summary:
ClarkConnect
:  Two thumbs up for people with newer hardware.  Instructions are recommended.  Print server installed by default!
IPCop:  Terrific as a firewall, has limited plugin availability.  IPCop is easy as pie to install.  No instructions needed. 
m0n0wall:  Did not finish testing. 
SmoothWall:  Terrific WebGUI and mySmoothWall integration is bar none the killer app for a firewall appliance.  Many modifications are available.  No instructions needed.
pfSense:  Has nearly as many features as ClarkConnect, without the problem of WebGUI latency.  Instructions probably needed the first time around.

Conclusion:
SmoothWall Express 3.0 is the winner of this round up.  I’ve already switched to SmoothWall myself.  If you are running IPCop or m0n0wall, this is a good performer on low-end hardware.  ClarkConnect wins an honorable mention, and I reccomend this distribution if you have newer hardware.

  • http://www.digg.com/ ToadLeg

    How do these compare to Firestarter? Could you add a review of it here?

  • http://www.digg.com/ ToadLeg

    oh, external firewalls…nevermind

  • MxxCon

    i think it’s silly of you to count lack of mods against pfsense.
    people make mods if the main tree doesn’t suit them…the fact that such widely used firewall doesn’t have them means stock version of pfsense sufficient. same can not be said about ipcop.

    if by “mods” you mean additional software, pfsense has a pretty big list of additional packages that can be installed from the webgui.

    oh ya, and the most important thing,
    PFSENSE IS NOT LINUX! and calling it linux is disrespectful toward its developers.

  • Wayne

    MxxCon, good point. I should have entitled this article with the term “Unix-Derivative-Based Firewalls” instead.

  • Travis

    I was originally wanting to run IPCop on my new Dell PowerEdge 2950 but the 2.4 kernel does not recognize the RAID drive. (“No harddisk found.”)

    I was told by lots of people that Smoothwall would work since it’s built on the 2.6 kernel. Nope. Same error.

    Maybe I’m being ignorant, but why would RAID not be a good idea for a firewall machine that kills your company’s Internet connection if it goes down? I’m not looking to protect data, I’m looking to ensure up time as much as possible.

  • http://chrisbuechler.com Chris Buechler

    Just curious, what kind of pfSense mods are you after? pfSense does have a package system that includes a number of add ons, and we welcome people to contribute more (or suggest some).

    Getting away from the color coded interfaces is a good thing. And since pfSense and m0n0wall don’t have the limitation of only 4 interfaces, coloring could get out of hand quickly. Some people run hundreds of interfaces on a single firewall (with VLAN’s), the colors would get pretty ridiculous. :)

  • Wayne

    Travis:
    Why not use a solid state drive such as a bootable CF interface or a Disk on Chip IDE module? It’s not like you’re going to fill up a disk with logs, and if you are, why not run a syslog server?

    Chris:
    Is there a link for the add-ons information? I agree on the colors thing, red/green/orange/blue/purple/fuschia/etc – can you imagine someone saying something like this…

    “We’ve gotta change the subnet masking on apricot and eggplant NOW, the sales department just doesn’t stop growing!”

    Colored interface schemes are not terrible for home/soho usage.

  • http://chrisbuechler.com Chris Buechler

    Wayne: System -> Packages in the web GUI.

    No other info available yet other than what you find there, though we have some improvements in the works.

  • http://www.a9k.info a9k

    Wayne:
    Thanks for this article. You saved me from putting “Review firewalls again” on my weekend “fun” list. I too had tried the whole set a couple years back and landed on IPCop.
    To IPCop’s credit, I have placed one in an ISP between their web/mail/dns servers and the wild wild internet while being actively and viciously hacked for a week. It handled the traffic fine at about 2Mbit/sec level. Their traffic doesn’t exceed that. I locked the hacker right out of those servers. He got into the staffs PC’s next. Another IPCop between the staff and the world and end of problem.

    Travis:
    I had a LOT of trouble getting raid running on my Dell poweredge in Ubuntu 6.06. I will never buy hardware raid again. Waste of money. I’m Using linux software raid instead on the non-dells.

    This link had info that finally got me on the right track:
    http://mcwhirter.com.au/craige/blog/2006/Using-a-Standard-Debian-Ubuntu-Kernel-on-DELL-PERCraid-Servers
    There were still hours of cussing. I left this note to myself:
    “megaraid_sas megaraid use /etc/mkinitramfs not mkinitrd but mkinitramfs”

    IPCop doesn’t have apt-get so is ruled out. ClarkConnect says they recommend RAID.
    There is a huge difference between Linux software RAID and Dell’s many hardware incarnations of RAID. So just because ClackConnect says RAID is great doesn’t mean they will have support for megaraid_sas built in.

    You might want to boot your Dell up off a the latest Ubuntu CD and see if the RAID is recognized – if so you should be able to find the hardware raid driver in use with “lsmod’. It will probably be megaraid or megaraid_sas.

    Good Luck!

  • Clive

    I’ve use SW since rel 0.9 (2000) – You’re on the money about SW-3.0, I tried it for a week but I’m still leaning on 2.0 (with the super-kernel from forge). Far more plugins are available for 2.0 so i’m waiting for urlfilter and advproxy to get more polished before trying 3.0 again – cheers.

  • http://www.fsckin.com/ Wayne

    Clive, thanks for the comment!

    I agree, there are more plugins for 2.0, and I will be revisiting this topic soon – SW 3.0 (although, it is likely a plugin I’m using) has a memory leak of sorts.

    The memory leak is not something that completely breaks the firewall, but it is annoying to look at the memory and see that 98% of it is being utilized after several weeks.

    Also, nobody that I know of has written a program to cache disk writes to expand the life-time of the IDE flash module I use. That’s one thing that sold me on IPCop last round.

  • Eric

    Nice review. Our church installation requires VLANs for our multi-SSID APs and we didn’t have the funds to spend for corporate versions that support VLANs (e.g., SmoothWall). So, I selected pfsense which has all the packages I required out-of-the-box. It has a great HTTP GUI and as well as other critical features.

    I certainly hope that everyone who sets up any firewall uses a review like this as a starting point. Doing a firewall correctly requires taking time to write requirements, do evaluations, write an implementation plan, and test against the requirements.

  • http://www.fsckin.com/ Wayne

    Eric,

    I’m glad you were able to find my review informative and helpful.

    Due to the popularity of this article, I will be writing a follow up.

  • Clive

    Hi again, you wrote:
    “..it is annoying to look at the memory and see that 98% of it is being utilized after several weeks..”
    I hope that the 98% does not include swap usage!

    If it doesn’t, then this just means Linux is running as normal. Linux would rather cache in ram for speed, than over work hard-drives and leave ram waisted and doing nothing (as is found in Windows). – C

  • ntsux

    Nice article, and you make many fine points.

    Being a Check Point, PIX, Gauntlet, Stonegate, FW Builder, Borderware (etc.) admin for the last while has left me with one resounding impression:

    At the end of the day, as a firewall admin., you rely heavily on LOGS (and their detail) to help resolve connectivity issues. Everyone wants to blame the firewall when poop hits the fan, and the firewall is always guilty until proven innocent.

    My point – though most of these products are nothing short of terrific in terms of functionality, ROI, and ease-of-use… I will always need to be able to filter for meaningful log entries related to the connectivity issue(s) at hand.

    Out of all these fine firewalls, pfsense appeals to me the most – but if I could find a product that allows me to filter logs on the fly with the same detail as, say, Check Point, THAT’s the product I’d most likely go with.

    Until then, pfsense will remain my home-based fw.

    Just my $0.02

  • kod4krome

    Any reason Astaro was not included in this roundup? I have been using Astaro Security Linux (ASL) v7 but will be trying out smoothwall 3.0 pretty soon, and I was curious how you felt it compared to the others here.

  • yoda

    Wayne,

    Excellent review. Did you look into Endian Firewall too? It’s very similar to SmoothWall … as far as I can tell. I really like what I’ve seen when it comes to Endian’s stuff. On the Clark Connect, you mention a 5-click install of OpenVPN. Can’t find it in CC 4.2 CE. I see the PPTP and IPSec VPN modules, but nothing about OpenVPN. :S

  • http://www.fsckin.com/ Wayne

    Yoda: I will be revisiting this topic shortly, maybe this weekend. I’ll be looking at all five of these, plus two more, including Endian.
    -W

  • Eric

    Hey Wayne,

    Awesome post. Using this in conjunction with the newer one you posted really helped me made up my mind in terms of which firewall distribution to use.

    Unfortunately, I had a little problem with pfSense CD booting up properly so I had to go with Smoothwall, which I had great experience in the past.

    Anyways, I was wondering if you could enlighten me with how you set up your print server with a printer connected to LPT1 port on SW3.0 as SW does not seem to have support for it.

    Thanks in advance.
    Eric

  • DrivenMad

    I have been running Clark connect for 2 years now, I have to admit version 3.0 was a pain, with the release of 4.2 I have had very nice results at home and my portable firewall/dedicated game server for lan parties!! If you have a system with a 1 gig or higher CPU, you can run the firewall and a dedicated of some games.. remember CPU is important and ram is priceless!!If you plan to try out clarkconnect, remember that the intrusion detection and some other modules will take ALOT of your resources. Happy Securing :)

  • http://www.hackosis.com Shane

    @ClarkConnect – Who in there right mind would want a print server on their firewall?!

  • Sam

    Great test. I liked PFsense and Untangle myself. Smoothwall corporate office left a bad taste in my mouth.

    I really want to deploy pfsense to replace our pix, but I’m having difficulty getting rackmounted hardware (no space for towers).

  • Martin

    I recently bought a pfSense appliance from one of the recommended companies listed on the pfSense website, Topell/DigiDyneSolutions. It’s a 1U appliance. You can also buy 1U cases from Netgate for use with ALIX or Soekris boards, if you want to put it together yourself. I bought a kit from Netgate a while back. I’ve had good experiences with both these vendors.

  • ISS

    Really great article and perfect timing that I just ran across it… been using IPCop for a few years now and was looking at some new FW’s before I build a few boxes and this will give me some direction… I was also going to test Untagle… THANKS

  • http://farhany.com Daze

    I’ve tried most of the firewalls except for pfSense. I must say that Endian seems to be very polished, and is so far my favourite. pfSense sounds like it also may be good. Running Tomato on a Linksys WRT54GL for almost a year, I think pfSense or Endian are going to be excellent. Smoothwall is quite slick, but lacks OpenVPN.

  • Dave

    To Shane @clarkconnect.

    I can give you a reason for having a print server on a firewall (like some of the little checkpoint firewalls have). For use in a DMZ set up for all the visitors to your company who want access to the Internet AND a printer. Now they can plug into a DMZ port or WAP in a DMZ and print instead of connecting to the corporate network.

    I wish it weren’t so but this tends to be the more accomodating (for the visitor) and secure method than allowing the visitor to plug into the LAN.

    Thanks for doing the review; I’m surprised that there aren’t more of these. I was looking for a feature comparison chart. And thanks to the individual who mentioned Endian. That was one I looked at last year and couldn’t remember the name of it.

  • http://www.cromosoft.com Ramiro

    I tested Clark Connect but it didn’t work,with a pentium II(kernel panic), Monowall ( doesn’t work with Realtek 8139) and discarted it) and finally Ipcop worked, but in general new ethernet cards aren’t supported.

    I was using it for several weeks but now i will have to use other solution for traffic shaping because my “Ipcop box” was damaged by an electrical storm.

  • neil

    I ran clark connect on a dell poweredge 4100 dual pentium pro 200mhz. with perc raid controller and 6 18.4gig scsi drives, ran sweet as a nut, had mail and web server on it, 51 users, file storage, firewall, dynamic dns, print server. and 2 lans.

    Ran perfectly for 4 1/2 years, then mainboard popped and game over. now run cisco 3600. and pay for webhosting. :(

  • neil

    Almost forgot. the guys at clark connect were very very helpful when i was setting the machine up, ran into one or 2 problems with configuration, i gave them a password to the machine and they looked into it and told me where i was going wrong, for FREE. any other companies willing to do that, not from what i have found, you are lucky to get a reply to your email…

  • http://rentnet.org john

    With low cost USB flash memory, internal USB flash memory could substitute for a hard drive. I recall doing a test install of SmoothWall and it requiring a SCSI hard drive but I’m not sure why. pfSense complained at less than 512MB RAM but ran at near wire speed just the same.
    Since spying on Americans has become big business, I was surprised not to see more tunnels for communication especially at the firewall router level with mod and custom options.

  • Frederic

    Anyone tried Ideco gateway? i ran it for 2 weeks now and it works fine i couldn’t find any reviews on the product though just curious

  • Frederic A

    I have 2 sites for supported wireless network card for ipcop.
    http://linux-wless.passys.nl/

  • http://www.crasch.net CRasch

    No Mods for PFSense? All the MODS are Packages. They are available and downloadable right from the web GUI.

  • http://www.pic.at/member.php?u=271434 magicofmakingupreview

    I loved up to you’ll receive carried out proper here. The sketch is attractive, your authored material stylish. nonetheless, you command get bought an shakiness over that you want be turning in the following. unwell indubitably come further before once more since precisely the same nearly a lot continuously inside of case you defend this increase.