Feature overview of Linux and BSD firewall and router distributions
Note: This post features two, long tables. Unless you want to scroll from here to Burkina Faso, it is highly recommended that you do not try to view this (post) on a single page, that is, do not click the “View All” link above or below this post.
There are more than a dozen distributions listed under the Firewall and Router category on this site (see the sidebar), with many more over at Distrowatch. And that’s a good thing: The more to choose from, the better. Question is, which one is the best? Or more correctly, which one is right for your needs? Since I don’t know what features you are looking for in a firewall cum router distro, the best that can done – to aid your search – is to present the features of all the distros in a manner that makes it easy for you to choose, to see which distro has the features that you need.
The material presented in this table is based on a default installation of the distros. Some distros (IPCop, IPFire, pfSense, Smoothwall Express, and Untangle, for example) are modular by design, and the basic functionality can be extended by an additional installation of plugins, addons, or mods.
Table 1
| Features | Astaro Security Gateway HE | Endian Firewall Community | EnGarde Secure Linux CE | Untangle Network Gateway | Vyatta CE |
|---|---|---|---|---|---|
| Based on (Linux or BSD) | Linux (kernel 2-6) | Linux (kernel 2-6, optional xenU kernel installation), rpm package manager | Linux (kernel 2-6), apt and rpm package managers | Linux (kernel 2-6), apt (Debian) package manager | Linux (kernel 2.6). apt (Debian) package manager |
| Installer | Menu-type installer | Menu-type installer | Menu-type installer | Graphical installer | Text-based installer |
| Management | Browser-based (HTTPS), shell (SSH), console | Browser-based (HTTP & HTTPS), SSH, console | Browser-based (HTTPS), SSH, console | Browser-based (HTTP & HTTPS), GNUstep desktop | Browser-based (HTTPS), shell (SSH), console |
| Interfaces | Wired (wireless not detected during installation). Link aggregation. Bridging with aging timeout and ARP broadcasts | Wired (wireless not detected during installation). WAN interface aliasing. Bridging | Wired (wireless not detected during installation). Virtual interfaces | Wired (wireless not detected during installation). Transparent Bridge | Wired and wireless. Link aggregation (bonding), bridge |
| VLAN Support | Yes | No | No | Yes | Yes |
| WiFi Mode | No | No | No | No | No |
| Failover/Load Balancing/HA | Yes (uplink failover and multipathing). Server load balancing. Active-passive and active-active HA | No | No | No | Yes - WAN load balancing, clustering |
| Routing | Static routes, RIP, OSPF. Policy-based routing | Static routes | Static routes | Static routes | Statis routes, RIP, RIPng, OSPF, BGP, |
| Captive Portal | Yes | No | No | No | No |
| Network Services | DNS, Dyn DNS, DHCP, NTP, NAT, Traffic shaping (QoS), SIP, H.323 | DNS, Dyn DNS, DHCP, NTP, Traffic shaping (QoS) | DNS, NTP, SSH, Web (Apache), FTP (vsftpd), mail (Postfix) | NAT, DHCP, DNS, QoS | DHCP, DNS, NTP, QoS |
| Firewall & VPN | Stateful Packet Inspection (SPI) firewall. Site-site and remote access SSL and IPSec VPN. PPTP, L2TP over IPSec. Cisco VPN clients supported | SPI firewall, SSL/TLS and IPSec VPN | Shorewall firewall, SELinux Mandatory Access Control. PPTP VPN. | SPI firewall. Site-site and remote access SSL VPN | SPI firewall. IPSec and SSL VPN. PPTP |
| Web Services | Web/FTP proxy, URL filtering, DoS, DDoS attacks, worms, and anti-virus protection | Web/FTP/DNS proxy, content filtering, DoS, DDoS protection, anti-virus | Apache and FTP server | Web proxy. DoS, URL and file (application) filtering. Tracking/ad cookies, and ActiveX controls | Web proxy |
| Mail Services | SMTP/POP3 proxy. Anti-spam, anti-virus, anti-phishing and email encryption | SMTP/POP3 proxy. Anti-virus, anti-spam. Black/white listing | sSMTP, sPOP3, sIMAP servers | SMTP/POP3/IMAP proxy, with SMTP tarpitting. Anti-spam, anti-virus, anti-phishing, ad-blocking, anti-spyware | No |
| IM and P2P | Multi-service IM and P2P protocol controls | No | No | Multi-service IM and P2P protocol controls | No |
| VoIP Services | Stateful VoIP support. SIP and H.323 | SIP proxy | No | SIP and H.323 controls | No |
| IDS/IPS | IPS with real-time signature updates. TCP SYN, UDP, and ICMP flood protection. Anti-portscan | IDS with Sourcefire VRT and Community rules. TCP SYN, ICMP flood protection. Anti-portscan | Network and AIDE host IDS | Yes. Signature- and heuristic-based IPS | Yes |
| Authentication, Authorization | Active Directory, eDirectory, RADIUS, Tacacs+, LDAP, Local | Active Directory, RADIUS, LDAP, Local, NTLM single sign-on (SSO) | Local, LDAP | Local | Local. RADIUS |
| Logs/Reports | Local, remote syslog. Automatic log file deletion. Real time log viewing. Report graphs | Local, remote syslog. Limited report facilities. System and traffic graphs | Real time attack graphs, real-time log analysis. | Summary, detail, and per user reports in pdf or HTML format. Automated email report delivery | Local and remote syslog |
| Backup/Restore | Automatic | Automatic, with GPG encryption of backup archives | Automatic | Automatic | Yes |
| Updates/Updating | Automatic signature (anti-Virus, IPS, Docs) download/install. Automatic system updates | Automatic signature updates. Manual system updates | Automatic system updates via GDSN | Automatic (IPS, virus) signature updates. Automatic system updates | Automatic |
| Minimum Hardware Requirements | Standard PC. Intel x86 or compatible. 1024 MB+ RAM, 20 GB HD, 1.5+Ghz processor | Standard PC. Intel/AMD x86, x86-64 processors. 512 MB+ RAM, 4 GB HD. | Intel/AMD x86, x86-64 processors. 512MB+ RAM, 4GB HD. Hardware RAID support | Standard PC. Intel/AMD-compatible Processor - minimum 750 MHz P IV. 1 GB+ RAM, 80 GB HD | Intel x86 and alpha architectures. 2 GB+ HD |
| License/Price | ASG-HE comes with GPL and free, non-GPL applications. You may choose to use only GPL apps. Good for no more than fifty, active IP addresses | Free Software, GPLv2. No IP address restrictions | Free Software, GPLv2. No IP address restrictions | Untangle Server and 13 of the application packages are Free Software (GPLv2), with no IP address restrictions. Other "Pro" packages are fee-based | Free Software. Components under various Free Software licenses. No IP address restrictions |
| Links | Read more | Read more | Read more | Read more | Read more |
HE: Home EditionCE: Community Edition
Table 2 on Page 2 features IPCop, IPFire, pfSense, SmoothWall Express, and Zeroshell.
Subscribe by ...
To receive future articles like this one in your inbox or Feed reader, please take a few seconds to subscribe to this site by email or RSS. You may also follow us on Twitter.
Sponsored Links
The next best thing to fruits & vegetables is Juice Plus
Buy Fedora installation media at very low prices from OSDisc
Don't have high speed Internet access? Buy Ubuntu and Mint installation media at very low prices
Develop your community's collaboration and communication skills with Collaba server
To buy a text link ad here, send us an email
Aaron Bylund
Would love to see ClearOS added to this comparison!