This is the Fastest review EVER of 5 Linux firewall distributions.*

*fastest review by this author.

I’ve got a P3 500MHz PC w/ 192MB of RAM and a 1GB Transcend Flash IDE module that I’ve been running as a Linux-based IPCop firewall platform for around the last two years.  It’s been running IPCop after testing out m0n0wall, SmoothWall, pfSense and IPCop.  pfSense impressed me, but wasn’t quite polished enough for me.  m0n0wall and SmoothWall had their various problems with the current releases back then, and IPCop won my vote by default.

Two years have passed since then, lets see if there’s anything different this time around.

Here are my personal criteria for gauging the usefulness of a Linux firewall:

1.  Ease of installation without reading the instructions.
2.  How “friendly” and “snazzy” the WebGUI interface is.
3.  Has an easy to use or install OpenVPN server.
4.  Print server integration difficulty. 

ClarkConnect logoClarkConnecthttp://www.clarkconnect.com/
I tried Community Edition 4.1 released on 04/18/2007.  ClarkConnect (hereby known as CC) to be a trimmed down Redhat distribution with firewall gui tacked on.  Installation took about 1.5 hours reading ZERO documentation.  Installation would have gone considerably faster if I had read instructions.  I’m doing this for fun.  CC can actually use better hardware than the rest comparatively, for sure.  WebGUI looked great, but was very slow, updating was extremely slow.  Strangely, it was using apt-get (according to top while connected via SSH into the machine) to update the system – what is wrong with YUM? ClarkConnect appears to be the most full-featured firewall-oriented distributions.  This has VERY slick integration with the CC website.  DynDNS service, updating monitoring, security audits, etc – but for a price.  OpenVPN installation as easy as 5 clicks in the WebGUI.  Print Server was just as easy to install.  Color me impressed.

Pros- Slick website, full-featured, enterprise capable.  Print server built in!
Cons- Requires a fast PC, installation was moderately hard.

IPCop logoIPCophttp://www.ipcop.org/
I like IPCop but it’s not quite exactly what I’m looking for.  It’s a firewall first, and doesn’t really do anything else other than slap a usable WebGUI on top of iptables.  It’s very stable, and the graphs are terrific and informative.  Lots of people use IPCop.  It’s got the Ubuntu-effect going on in their forums – lots of people use it, lots of people HELP you for FREE on their forums.  To get a print server running requires some serious hacking as far as I can tell.  OpenVPN is not as bad, there is a plugin, which will actually integrate into the WebGUI.

Pros:  Good support is available because so many people use it.
Cons:  Lack of printing ability.  OpenVPN install requires some hacking. 

m0n0wall logom0n0wallhttp://m0n0.ch/wall/
The 1.231 version image failed to boot properly on my testbed.  It came up and the normal boot-up kernel text flew across the screen but then a message popped up saying it was going to reboot in 15 seconds.  Perhaps it is because I had some hardware that was unsupported, but I have used it in the past on the same hardware.  I will endorse the usage of m0n0wall if you ever think of buying a Soekris, PC Engines WRAP or perhaps even a RouterBoard, this is the distribution tailored specifically for these platforms.

m0n0wall did not finish testing, and unfortunately I did not have time to attempt resolving this issue. 

SmoothWall logoSmoothWallhttp://www.smoothwall.org/
I am SO impressed by SmoothWall 3.0 Express.  It oozes with “gee, that’s smart” or “wow!” when I moved from one portion of the WebGUI to another.  Such as real-time monitoring of IM conversations if the IM Proxy service (totally transparent to the user) is enabled (VERY big brother-ish ala dsniff), a Java SSH client, my.SmoothWall website integration which is similar to ClarkConnect’s website integration, real-time graphing of network traffic, and the list goes on and on.  The installation was very easy, and installation of a print server using Samba is possible.  SSH access easy, just one checkmark.  A Java-based SSH client is available right inside the WebGUI – very nice addition!  Found a terrific mod that goes and checks the signal strength of my Motorola cable modem (many others are supported) and creates a graph of it.  Terrific!  Now I can nail my ISP when signal strength dies!  This is FAR better than when I tried the original release of 3.0 (or was it an RC?) and it had a terrible “DHCP on RED” bug that made it impossible for me to use “out of the box.”

Pros:  Great Modding Community, adding new features easily along with a forum that has walkthroughs for installing Samba.  The GUI is very robust.
Cons:  Printing and OpenVPN not installed out of the box, but these are easily fixed. 

pfSense logopfSense http://www.pfsense.com/ 
I tested the 1.2 RC2 version of pfSense.  I am rather interested in seeing what has changed since the 0.9 releases.  Oh… it’s nice.  DMZ works now, which previously did not work properly for me.  Still a little “techie” required to figure out how to get it online.  Ethernet interfaces are presented in a list (i.e. fxp0, rl0) which unless you know what vendor equates to which interface name, you need to guess which is which.  This is in stark contrast to other firewall distributions (SmoothWall/IPCop) which show the full name of the adapter instead of a driver name.  This is not the friendliest way of doing things.  A pseudo SSH tool is available in the GUI – just type your command into a text box, and the output is shown on the WebGUI.  VPN was the easiest to get working in this distribution.  This distribution does not use the common color-oriented user friendly way of configuring the network segments, (i.e. GREEN/RED) instead it uses the better known LAN/WAN combination and allows you to rename the interfaces to whatever you would like to use.  pfSense has come a long way in a short period of time.

Pros:  Nice WebGUI, graphs look better than most, full-featured and doesn’t require top-end software.
Cons:  Does not have any mods that I am aware of or can find.

Summary:
ClarkConnect
:  Two thumbs up for people with newer hardware.  Instructions are recommended.  Print server installed by default!
IPCop:  Terrific as a firewall, has limited plugin availability.  IPCop is easy as pie to install.  No instructions needed. 
m0n0wall:  Did not finish testing. 
SmoothWall:  Terrific WebGUI and mySmoothWall integration is bar none the killer app for a firewall appliance.  Many modifications are available.  No instructions needed.
pfSense:  Has nearly as many features as ClarkConnect, without the problem of WebGUI latency.  Instructions probably needed the first time around.

Conclusion:
SmoothWall Express 3.0 is the winner of this round up.  I’ve already switched to SmoothWall myself.  If you are running IPCop or m0n0wall, this is a good performer on low-end hardware.  ClarkConnect wins an honorable mention, and I reccomend this distribution if you have newer hardware.