Jan. 26, 2011, 11:52 a.m.
posted by jack
The vast majority of Linux firewalls are now based on iptables. If you've got the hang of iptables, and know how to "get under the hook" and check them at the command-line level, and now just want to streamline the management of your system(s) a bit, a graphical firewall administration tool may be in order. Such tools can be divided into two rough categories: full bootable or installation firewall distributions, which are complete systems, and firewall tools, which are simply graphical front ends for iptables itself on your existing system(s).
The higher end firewall distributions tend to be commercial packages, with enterprise-type support packages. The advantage to paying for the full commercial suite is that you can often purchase support packages or higher end corporate server variants with various commercial SLAs (service level agreements) in place for when things go awry. If firewall administration is not your full-time job, such options might be quite beneficial, useful, and justifiable.
SmoothWall is a Linux-based firewall distribution that has become popular in the small business world, home offices, and medium-sized corporate installations. It's been around for quite some time and has kept up with Linux firewall innovations as they are implemented in the operating system. SmoothWall is modular, so you only have to install the features you will use. It offers VPN gateways, bandwidth management, and web content filtering, among other possibilities. On the noncommercial side, it can be had for free. Great for kicking the tires and testing! For the commercial version, it starts at around $330, and with the various add-on modules can go up to a few thousand dollars. Learn more about SmoothWall at www.smoothwall.org/ or www.smoothwall.net/.
Another good turnkey solution for corporate installations is the SUSE Firewall on CD, which is based on a bootable CD firewall distro. It is a well-rounded distribution with a host of caching and proxy services, as well as a web-based administrative tool. This package is liked because all config files are stored on floppy and upgrades come on replacement CDs that boot to RAM. So to upgrade to the latest version, you just eject the CD, insert the new one, and reboot! And if the system ever does get compromised from the inside, again, just reboot! You can even install a special VPN gateway version. Learn more at www.suse.de/en/business/products/suse_business/firewall/index.html. Note that Novell, Inc., has recently bought the SUSE company, so the name, pricing, and nature of this product may change.
One of the newer contenders in this Open Source firewall space is Astaro Linux. It's a full install distro that is an all-in-one solution. It offers a great array of features, such as full firewall management, intrusion detection and protection, virus protection, spam protection, VPN gateway, proxy based URL filtering capabilities, and more. Pricing for this suite starts at about $350. For the latest pricing and numerous optional packages go to www.astaro.com.
If you don't need a full commercial firewall for your network, consider streamlining your firewall management by using a graphical tool to administer your iptables configuration. These tools range from simple X window GUI displays to full-fledged, firewall control systems. Choose the one that works best for the level of firewall information you need on a regular basis.
One of the newer and more powerful firewall administrative tools is KMYFirewall, which comes from the KDE project. It offers an intuitive graphical interface, is designed to work with multihome network firewalls, and gives the technical information and control over the user's system in a simple easy to follow format. Learn more and download packages from http://kmyfirewall.sourceforge.net.
Other front ends to iptables, such as Firestarter or Shorewall, are aimed more at personal firewalls-type control of iptables than for the full-blown network firewall. If you run a stand-alone personal firewall iptable config, you might want to check out http://flrestarter.sourceforge.net/ and http://shorewall.net/. These tools are a bit easier and quicker than working with iptables in a text editor and display firewall information in a way that may help you track down problems more rapidly.
Many graphical firewall tools are incompatible with each other or with existing firewall configurations on your Linux system. These programs usually do not read existing iptables configurations; in some cases, they require that you shut off your iptables set-up (such as the RH /etc/sysconfig/iptables and RH-Firewall -1-INPUT) altogether and keep it turned off with chkconfig. If you decide to use a graphical administrative tool for your firewall, pick one and stick with it, and don't switch back and forth between the tool and editing iptables manually.