Hi all,
I need a simple to use firewall software in a 100 employee environment.
Firewall should block unnecessary websites, keywords, videos, images, any intrusion as per users and groups (eg: teachers and students). Bandwidth shaping would be a plus.
Please suggest me some.

Go for a hardware or "appliance" solution, Fortigate / FortiOS is good.

Yes, there will be people who are now going to say "use Linux, use SQUID, iptables, etc." which is fine if you want to go down the do it yourself path.

I've a Fortigate FC80 here with about 70 users behind it, and if I want to block "File Swapping" or "Proxy Avoidance" then I define the policy and tick the boxes in the GUI. These lists are updated and maintained by Fortigate so I don't have to keep updating them etc.

For bandwidth shaping, I've 2Mb that's reserved for phones and for web use my general users are in a shared 4Mb and "executive" users are in a shared 8Mb.

If you're determined to go down the "free software" route then SQUID and iptables will be your starting points.

@TenTenths: Just curious:

What is the difference between a do it yourself path for iptables/squid/etc and a do it yourself path for Fortigate / FortiOS? Seems to me that both have a (possible steep) learning curve and using Fortigate / FortiOS needs specialized equipment.

Don't get me wrong, your solution might be a good option but the reason why isn't too clear from your post.

Fortigate is a hardware firewall / router device which offers content filtering, website blocking, email and webpage anti-virus scanning, DHCP, VPN server, etc. all with a web interface.

Sometimes paying for a device is more cost / time effective than having a person spend days or weeks building a solution.

1 members found this post helpful.

Thank you for your reply.
I am looking for a software appliance rather than hardware solution.
Of course, not willing to compile squid, iptables, IPS, etc. from scratch.
My requirement is full control on content filtering and intrusion prevention with simple web interface.
I found some open source software appliances projects giving it a try on my virtual machines.
Like:

pfsense
simplewall
endian
smoothwall
clearOS
monowall

I will share my experience with these appliances tests soon.
Thank you guys.

I currently run pfsense as a virtual router and firewall and vpn server with snort.

Works really well, 4 cores 4gb ram assigned, wan nic directly passed, dmz, lan, vpn on bridge interface.

Works but have never tried close to 100 users on it. I would rather go dedicated hardware for that many users depending on your throughput requirements.

On my system it saturates 50mpbs down and 25mpbs up that i have with ample cpu and ram left.

My next purchase is a i350 4port intel nic to get rid of the bridge assigning a port to each vm using sr-iov

If you've the time and resources for the testing etc. then great! Let us know how you get on as it'll help others

Any recent hardware will be able to keep up with throughput as generally the WAN link will be the bottleneck.

We also have Juniper SSG firewalls with a web management interface but the Fortigate device is a bit easier to use and intuitive. We had it unpackaged and running our filtering requirements in about 1 day.

One thing to remember with virtual routers is that yes they may work fine and get limited by wan, but if the vm host has many vms then it can cost performance deductions on other virtual machines. So virtual routing is great but a double edge sword at the same time.