What is Digg?49 Comments
- schestowitz, on 10/10/2007, -2/+22What about http://en.wikipedia.org/wiki/Iptables ?
- edzilla, on 10/10/2007, -0/+12What's this linux thing? Some kind of ubuntu fork??
- mooninite, on 10/10/2007, -3/+12All of these are front ends for configuring iptables.
People don't understand that the Linux firewall is built directly into the kernel. I have never seen a separate software firewall.
Burying as inaccurate. - emblemparade, on 10/10/2007, -2/+9If "most of these are based on some form of Linux, FreeBSD, or OpenBSD" then they are not all "Linux firewalls."
It's true that in the world of Unix, software often compiles and runs on many variants of Unix without any changes, but not always, especially in implementation-specific security applications, like firewalls. The digg should be titled "Top 6 Unix Firewalls."
C'mon guys, pay attention to precision, at least enough to avoid contradictions within a very short post... - fyre2012, on 10/10/2007, -1/+8PF for OpenBSD FTW =)
- Rivetgeek, on 10/10/2007, -0/+6No it isnt...
- Niten, on 10/10/2007, -1/+6Yeah, the author of this article seems to be confused – these are all Linux firewall front-end tools, and of course Linux firewall software is going to use the kernel's built-in netfilter. No mention of PF, IPF, or IPFW, so I'm not sure where the BSD reference came from.
Anyway, it's sort of a moot point... anyone really serious about this stuff is going to be writing firewall rules by hand, whether it's for Linux's netfilter or OpenBSD's PF or whatever. - kolobcreek, on 10/10/2007, -0/+4iptables....
- Burn, on 10/10/2007, -0/+4It's just a front-end for iptables like all the rest of them.
- DarkDragon, on 10/10/2007, -0/+4iptables! Firestarter (at least) is just a front end for iptables.
- Niten, on 10/10/2007, -0/+3Is this wretched Cisco-eze
let through IETF to mean
my firewall must pay legal fees?
No! CARP and PF are Free!
Fiddle dee dum,
Fiddle dee dee,
CARP and PF are free.
( ftp://ftp.openbsd.org/pub/OpenBSD/songs/song35.mp3 ) - cquilliam, on 10/10/2007, -0/+3ipkungfu (http://www.linuxkungfu.org/) has been one of my favorites. At first I used to build my iptables scripts from scratch, but ipkungfu made it so much easier.
- mississippiman, on 10/10/2007, -1/+4What about Smoothwall, IpCop, Endian, or any of those?
- krull, on 10/10/2007, -1/+4wtf? NO PFSENSE?? http://www.pfsense.org
Been using PF at work for over a year now... and haven't hard rebooted the damn thing! - DerBrandy, on 10/10/2007, -3/+5Not only inaccurate, but also confusing for newbies. With articles like this one they still think firewalls on Linux are similar to Windows. A good intro to iptables would be better
- RyanSK, on 10/10/2007, -2/+4Good post for linux newbs; but iptables is where it's at... hands down.
- JonForTheWin, on 10/10/2007, -1/+3OpenBSD is _NOT_ Linux.
- WillSpencer, on 10/10/2007, -0/+2The original poster wrote "Most of these are based on some form of Linux, FreeBSD, or OpenBSD."
It's just the title which is misleading. - WillSpencer, on 10/10/2007, -1/+3ipchains is dead man. :)
These are all firewalls for people to download. Most of them are built around the pf/ipf/ipfw/iptables packages which come with the operating systems.
This isn't a Linux-specific article. - mrsteveman1, on 10/10/2007, -0/+1Its not possible to just take kernel drivers or code and move them to another "unix" without hand porting the code, they are not at all related except for the various posix standards for syscalls and threads n such.
- GMorgan, on 10/10/2007, -1/+2PF is better than IPtables though. Then again you'd expect that from OpenBSD.
- Bonejob, on 10/10/2007, -2/+3What about IPCOP? or is that a derivative of something else?
- Alex2, on 10/10/2007, -0/+1OpenWRT
comes default with iptables
just sayin. - martalli, on 10/10/2007, -0/+1For newbs, it would have been better to explain the difference between an iptables (or pf) frontend such as firestarter or guarddog, vs. complete firewall distros, like ipcop. For more experienced users, a description of the strengths of each distro or app would have been very helpful.
- dbr_onix, on 10/10/2007, -1/+2I'm not quite sure this guide would be more confusing to 'newbies' than an iptables guide...
- medlzk, on 10/10/2007, -1/+2m0n0wall FTW
- ddxChrist, on 10/10/2007, -0/+1Puffy is our Hero.
- martalli, on 10/10/2007, -0/+1RTFA - it is right there in the article. The author does not divide them well, but he is including both firewalls that are frontends for your desktops iptables, and complete distros for making hardware firewalls. Complete firewall distros would include ipcop and m0n0wall.
- GMorgan, on 10/10/2007, -0/+1It's also worth noting that because IPtables is built into the kernel you will need the correct kernel options activated to us it. In some distros where manual kernel configuration is needed this isn't always the case.
Sorry for the DP. - martalli, on 10/10/2007, -0/+1If you were asking why no one is talkign about ipchains...it was replaced by iptables in the linux kernel 2.4...
http://en.wikipedia.org/wiki/Ipchains - WillSpencer, on 10/10/2007, -0/+1OpenWRT includes a basic firewall capability, but that's not really it's focus.
Plus, it's not really a PC-based application. It's designed for embedded devices.
OpenWRT is cool, but it's really a separate type of application. - mrsteveman1, on 10/10/2007, -0/+1Everyone knows you have to run OpenBSD on Linux, which runs on Windows. Pshhh
- windhawk, on 10/10/2007, -0/+1Here's a good article about IPCop:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1265021,00.html - martalli, on 10/10/2007, -0/+1It's the last part of the article. I wonder if the author added to his article after it hit digg...
- capecodcarl, on 10/10/2007, -0/+1Most of them are based on being wrappers to the underlying "real" firewall interface. It's either iptables and ipchains on Linux (2.6 and 2.4), ipfw on FreeBSD, or pf on OpenBSD. There's also ipfilter which is a little more cross-platform, but that guy changed the licensing and pissed off the OpenBSD folks so they wrote their own packet filter. All the other tools mentioned are just wrappers around these tools and ARE platform specific. M0n0wall requires FreeBSD's ipfw tool, ipcop/shorewall, etc. require Linux's iptables. OpenBSD people expect you to be able to grok the config files for PF so I'm not aware of any GUIs for configuring that.. I'm sure there are though somewhere.
- Lamity, on 10/10/2007, -0/+0No mention of Astaro (it's free for home use?) - http://www.astaro.com
- tendonut, on 10/10/2007, -0/+0I've been using Smoothwall for about 2 years now. Absolutely no complaints and extremely easy to manage.
- mrsteveman1, on 10/10/2007, -0/+0I used pfSense for a long time but got tired of it because of its lack of advanced features (and the QoS wasn't working well at all), so i started using the free home licensed Astaro Security Gateway, it makes pfSense and the others look like consumer toys.
- mrsteveman1, on 10/10/2007, -0/+0OpenWRT is only nice if you have a spare embedded router or need to minimize power use, but they are massively underpowered for anyone who does more than check email once in a while.
The firewall i use (astaro 7) barely uses 15% of the cpu and never more than 60% of the ram in an old PIII, I would be willing to bet that most if not all of those embedded devices sit at their limits most of the time when they are routing packets, doing stateful packet inspection and things like IDS.
Once you move into more advanced features those things are worthless and cause more problems than they solve, I've seen too many of them decide to stop working at odd times or brick a device requiring an rs232 line level converter chip to be attached to the motherboard to get a serial console and fix it. - fzzzz000, on 10/10/2007, -0/+0I love Turtle...
- arkuin, on 10/10/2007, -0/+0What about eBox Platform? It's open source!!! http://ebox-platform.com
- Brownflem, on 10/10/2007, -0/+0IPTABLES with Webmin
and Tomato for WRT54G - Nigative, on 10/10/2007, -1/+0You don't need firewall in linux. Iptables is all you need, if you don't know how to use it, use windows.
- zapd, on 10/10/2007, -1/+0Writing firewall rules by hand.. error prone. Not a good idea. If you're serious: use a config tool that you know, then check the resulting rules with your eyeballs.
Then test. - zapd, on 10/10/2007, -2/+1A firewall is so much more than a packet filter.
- jdhore1, on 10/10/2007, -3/+1You haven't seen a separate software firewall? I have...Firestarter...It's got a init entry so it's gotta be different than iptables...but i dunno...i'm tired...
- mrsteveman1, on 10/10/2007, -2/+0Ive used all of those and pfSense, (they all suck after a while and a very lacking). Once the Astaro people made home licenses for ASG free i got rid of the others, theres no way in hell i will ever use anything but Astaro anymore.
Free for home use, perfect interface, enterprise class QoS and traffic shaping, load balancing, wan line aggregation, on the fly rule change without resetting daemons, automatically updating Snort rules, portscan blocking. theres so much Astaro has over the others its just not even a fair comparison. It's based on Suse linux (not opensuse an older version) with a lot of custom stuff on top of it, but the custom stuff is what makes it worth using.
I'm surprised they don't mention it in the article, probably because the interface isn't open source (its ajax), but I never cared because the core is open source and i can change anything i want. - Urusai, on 10/10/2007, -4/+1...and IP tables is just a front end for your network driver. Sheesh.
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is