Need a Firewall?
Endian Firewall Community – A free version of the Endian Firewall Appliance (not that that means anything, I don’t know it either), but evidently originally based on SmoothWall, the foundation of IPCOP, but I believe was rebuilt using Linux From Scratch.
PFSense – A FreeBSD based firewall solution that has a HUGE list of features ranging from the very cool to super confusing. How much of each is going to depend on your familiarity level of firewalls :).
Vyatta – Vyatta calls itself the “Open-Source Alternative to Cisco”. I know you know Cisco, unless you’ve been hiding under a rock they are one of the largest firewall appliance vendors out there. I mean, they’re Cisco. So these guys are really saying a lot if they think they can challenge Cisco to a pissing contest. Obviously, like Endian, this one seems very business oriented in that they want you to pay. And I do mean PAY. Wow. But there is a Community Edition, or so it seems, that is free for download. They say it’s to “test and evaluate”.
Those 3 firewalls are ALL based on some open-source operating system or another, but have (apparant) easy to use web based front ends that are no more difficult to learn than the standard Linksys/Netgear devices that everyone uses.
I found these firewalls in the order listed above, and since I had no preference I just tried them in order. I downloaded and installed Endian to replace my IPCOP. It took me maybe 20 minutes to get installed (I have static IP’s and other complicated things that take longer than most people would), and another 1.5 hours to get all of my firewall rules that I had on IPCOP rebuilt in Endian. Please understand, this 1.5 hours is not something you, the reader, is likely to encounter unless you also run several servers in a DMZ network with several applications requiring different port ranges to be forwarded.
If nothing I just said made sense to you, Endian will probably take you 20 minutes or less to get it up and running. Here is where Endian is a bit more business-like than IPCOP: By default, out of the box, it’s blocking traffic bi-directionally (in and out). It has a default ruleset to accommodate most users, it allows you to get to the web and check email, and FTP (for the tech savvy: port 80 and 443, and 25/143/110, 21) but absolutely NOTHING else.
Wanna connect to an IRC server? Not gonna happen. I’m loving Endian :D. Of course these are fixable, you have to go into the firewall portion of Endian and go to the ougoing traffic link. Endian, like IPCOP, calls your networks GREEN (for your LAN), RED (for your internet), and optionally BLUE (for a wireless network) and ORANGE (for a DMZ). It shows you in a pretty little table on the web page what is allowed where… GREEN is allowed all access to your ORANGE and BLUE networks if you have any, and specifically 80 and 443 going out RED. ORANGE and BLUE are basically allowed DNS and not much else.
This is the one spot where Endian will probably lose your standard, normal, everyday user: You’ll have to start creating rules with scary things like Ports, Source IP addresses, Destination IP ranges, etc. If you’re willing to try it, it is easy enough: you can either be really picky and only allow ports you know you want or need (beyond the scope of this blog), or you can do a simple rule that says ALLOW from GREEN network to the RED network on ANY/ANY. This effectively allows all traffic from your computer to go the web and it to respond.. while still keeping you safe from the RED.
That rule is the default on the other user-friendly firewalls like the Linksys/Netgear and IPCOP. Not many businesses would use that rule because businesses tend not to trust their employees. If you don’t trust your kids like a business doesn’t trust it’s employee’s though, maybe you should look into learning about ports :D.
Anyway, beyond that there is several other options out of the box that IPCOP lacks (by default). Endian allows you to easily turn on a content filter to block dozens of categories, such as porn and ads, also the ability to block Virus’ from even getting downloaded to your PC, and prevent you from going to a spyware riddled website. You can set the threshold level as well, ranging from young children to young adults to say how strict you want the filters. These are excellent increases in security.
Most people will probably say “Well, I already have Anti-Spyware/Virus on my computer.” and that’s good! I’m proud of you. But a lot of anti-virus softwares don’t play well together on the same machine, meaning you only likely have one (probably mcafee or norton or AVG). All Anti-Virus software has different databases that check for different virus’. So what norton finds, mcafee might not and vice-versa. So while having an AV software is good, one solution is not necessarily enough… in comes Endian. Endian uses an Anti-Virus called ClamAV, so when you go to a website, or read your email, or open attachments, it will first be scanned by your Endian firewall with ClamAV, if that finds nothing – THEN it will be scanned by your computer’s McAfee or Norton. I think this is a good thing, your opinion may vary. For those that use Linux as their main computers, you probably aren’t running a local Virus software (seriously, what’s the point on Linux?) so this provides a way for your files you download to still be scanned, just in case you go and put them on a windows box somewhere.
As you can probably tell.. I’m really liking this Endian Community Firewall, so much so that I haven’t removed it to move on with my list!! So unfortunately, I can’t tell you how well either PFSense or Vyatta work yet.. when I get around to messing with them I will of course blog and compare them as I go, but I wanted to include them on this page in case someone else searching for firewalls wants to give it a shot. They both have an excellent set of features, so they are definitely worth it.
I do have my complaints with Endian, and this paragraph is going to be a little technical for those that want to skip to the next page. In IPCOP I was able to load addons that allowed me to configure to have my log files automatically emailed to me nightly. They also would automatically submit the firewall logs and such to places like DShield, which is cool because not only does that let DShield compile and see who the most active “bad” guy is right now, but they also format your log traffic for you into an easy to read “Low, Medium, High” risk table of traffic. Endian has neither of these components, and I have not (yet) found a way to add them in as I haven’t found an “Addon” area like for IPCOP. So this is a work in progress. Also, I am having trouble getting the port forward to work from ORANGE, to a RED IP that goes back to an ORANGE system. Basically, Server to Server or Server to itself using the public IP’s and not private ones. This is probably not a very common setup, however, and thus is not a huge deal. I am positive there’s a rule or rules I need in the outgoing/incoming sections to facilitate this, I just haven’t (yet) discovered it.
Leave a Reply