[PLUG] Good Firewall Distro/Application

John Medway pdxlinux at johnmedway.com
Tue Jun 30 06:00:41 UTC 2009 

Other than the failover requirment, I can think of two you could use. 
Smoothwall Express seems shakier than IPCop, but it has net-to-net OpenVPN, 
if you need that. Otherwise, I'd pick IPCop. The Zerina OpenVPN plug-in 
seems more stable, albeit it is not really set up for net-to-net.




At 10:07 PM 6/29/2009, David Mandel wrote:
>This is a pretty demanding list of requirements.
>Most of the smaller firewall distributions don't have many of the
>desired features.
>
>I personally like the community edition of Smoothwall.  It works well
>for small businesses and home usage, but doesn't have load balancing
>or many of the other features you need.  I also like Astaro a lot; but
>they don't really have a very good community edition and the
>commercial edition that does everything you want is (or at least was)
>very expensive.
>
>Another option is untangle.  I haven't used it and don't know if it
>has all the features you need; but it has a great reputation.
>
>I have read something about a couple other distros that might work.
>As I recall, one of these is called trustix.  I might check the
>distribution page at Linux.org or maybe distrowatch.org.
>
>David Mandel
>
>On Mon, Jun 29, 2009 at 5:07 PM, Tim Garton<garton.tim at gmail.com> wrote:
> > All,
> >     Can anyone recommend a good firewall distro or application for
> > Linux?  Or, for that matter, I guess it doesn't have to be Linux but
> > could be some type of hardware solution as well.  Currently I haven't
> > had much luck other than rolling my own, but the only one that I've
> > tried extensively is Endian Firewall Community Edition.  In order to
> > qualify as "good" I would expect the following features:
> >
> > 1. Support for multiple uplinks and ability to load-balance between
> > them (if it can't load-balance, at least be able to easily switch to
> > the other link)
> > 2. VPN support (probably IPSEC or OpenVPN)
> > 3. Ability to have a failover system
> > 4. Advanced traffic shaping - throttle/prioritize traffic based on
> > protocol, src/dst port and ip, packet size, tcp flags,
> > type-of-service, etc.  ability to guarantee a minimum amount of
> > bandwidth for different types of traffic.
> > 5. Ability to do DNAT for incoming services
> > 6. Real-time monitoring of bandwidth utilization to easily pinpoint
> > what the large consumers are
> >
> > In our current state I guess 3 isn't necessarily a deal breaker, but
> > as we continue to grow I can see it becoming more important.  Thanks!
> >
> > -Tim

More information about the PLUG mailing list