Hello,

I searched the forum for this topic, but the responses were quite old. What's the best current firewall distro for Linux? I want to tinker with turning a PC into a physical firewall. Keep heating about Sophos UTM Home. Is that any good?

They'll all use the same filter which you would access via iptables, probably via SSH or a serial cable. So it does not matter that much which distro to choose. I'd recommend steering towards a distro that has a Long Term Support release so that you don't have to mess with full system upgrades too often. The server version of Ubuntu would fulfill that criterion, but then so would many others.

If you want to try another OS, then you could try pfSense which is based on FreeBSD.

Or if you want the best and easiest (for certain definitions of easy) then there is PF which is built into OpenBSD. Installing the base set for OpenBSD would provide PF plus OpenSSH server and you'd be set. PF is much easier than iptables. OpenBSD itself is old school and does only what you tell it, no more no less. Getting used to that might be necessary but is wonderful because of that once it is familiar.

However, firewalls in general are vastly overrated: If M$ Edge or M$ Outlook are your infection vectors and either is still allowed to reach out through your firewall, you will get pwned regardless of how fine and clever the firewall is.

If you are approaching this to learn, then go for it. Otherwise, meh.

1 members found this post helpful.

Again, if M$ Edge or M$ Outlook are your infection vectors and either is still allowed to reach out through your firewall, you will get pwned regardless of how fine and clever the firewall is.

Just to illustrate that using this week's news:

http://www.cve.mitre.org/cgi-bin/cve...=CVE-2018-0874

http://www.cve.mitre.org/cgi-bin/cve...=CVE-2018-0939

http://www.cve.mitre.org/cgi-bin/cve...=CVE-2018-0940

Next week or at latest the week after that, there will be a new but similar batch.

You might take a look at IPCop. It is a standalone firewall. Also take a look at Shorewall. And there are others that are dedicated firewalls.

Do remember what a firewall does. It is a packet filter. It can block packets from ip addresses, packets that have impossible flags, packets that arrive too quickly and that sort of thing. But they are looking at the packets themselves, not the contents in relation to various threats that should be handled by the programs themselves. You can, for example, easily block any packet from China,say, but not a specific packet or set of packets that will cause a buffer overflow or something else due to a fault in the program. From what has been said above I suspect that you are looking for both.

For a packet firewall on Linux you will be looking at some frontend for the security modules in the kernel which due the actual filtering. The most common arrangement is a frontend to iptables which, in turn, is a frontend for the kernel modules. I highly recommend that you invest some time in learning and learning about iptables itself. They are not easy to go through and understand in detail, but the man pages for iptables and iptables-extensions. That will help you in evaluating what each 'firewall' you look at actually does. Once you know a little about iptables a command you will find useful is 'sudo iptables -L -v -n' which lists all the rules in the filter table. There are other tables, but that is the main one.

Sorry for the length, but your question made me think you were expecting too much from a firewall. If I'm wrong I'll apologize and crawl back under my rock.

It's not Linux, it's BSD, but Tom Lawrence of the Sunday Morning Linux Review swears by PFSense. He has a number of tutorials at his YouTube channel.

1 members found this post helpful.

I would seriously recommend OpenBSD for firewalls if you're into ssh. Otherwise, +1 for PFSense.

1 members found this post helpful.

Free firewall distros offer the illusion of security. It's kind of like wearing safety goggles when you work. It will prevent accidental debris. But goggles won't prevent someone from intentionally shooting you in the eye. If someone specifically desires to penetrate a firewall running a free firewall distro, it might as well not even be there for all the good it will do.

I must differ somewhat with the previous post. As AwesomeMachine points out, if someone really wants to penetrate your network, the odds are he or she will find a way in.

Similarly, if someone really wants to steal your car, he or she will probably steal your car, because he or she really wants your 1972 Lamborghini and there only three left outside of captivity. That's not a reason to leave the doors unlocked and the key in the ignition, especially given the common nature of random port scans on the internet.

I guess maybe I overstated my case. But nothing beats diligence in the pursuit of security.

i have used pfsense and openbsd as a firewalls. pf sense if you like gui, openbsd if you want do things without gui, or you could install xfce4.

*LFS*

You can use any linux distro, you can install Linux firewall on that distor that would be helpful for you instead of looking for distros fully based on the firewall. there are many Linux firewalls available on the web. take a look.

error

Slackware works for me. I use a Python script that creates/updates the rules based on blacklists that I've accumulated based on IPs I've gleaned from log files (senders that attempt mail relay access, web accesses that are trying to find Windows directories, stuff like that). It's not a panacea but it cuts down some of the obvious traffic I'd prefer not get access to, well, anything on the "clean" side of the firewall.

There may be better distributions that can be used as firewalls out of the box but Slackware's done a good job so far as it allows me to roll my own solution and -- unlike any Systemd-based distribution -- and I have better control of when, in the system startup sequence, the firewall setup takes place.

Good luck on your search.

necro-thread reopened by a spammer.