Where can I download a free firewall?

Free firewalls have become very common and represent an excellent alternative to commercial firewall packages. Most of these firewalls run under some form of Linux, FreeBSD, or OpenBSD.

Many of these free firewalls are front-ends for the lower-level firewall packages which ship with these operating systems, such as pf (Packet Filter), ipf (IPFilter), ipfw (IPFirewall), and iptables.

Free firewall packages which you can download include:

Firestarter

Firesarter is a free firewall tool for Linux machines. Whether you simply want to protect your personal workstation or you have a network of computers to secure, Firestarter is here to make your life easier. While a firewall can not guarantee security, it is the first line of defense against network based attacks. Firestarter is an Open Source visual firewall program. The software aims to combine ease of use with powerful features, therefore serving both Linux desktop users and system administrators. We strongly believe that your job is to make the high level security policy decisions and ours is to take care of the underlying details. This is a departure from your typical Linux firewall, which has traditionally required arcane implementation specific knowledge.

• Open Source software, available free of charge
  
• User friendly, easy to use, graphical interface
  
• A wizard walks you through setting up your firewall on your first time
  
• Suitable for use on desktops, servers and gateways
  
• Real-time firewall event monitor shows intrusion attempts as they happen
  
• Enables Internet connection sharing, optionally with DHCP service for the clients
  
• Allows you to define both inbound and outbound access policy
  
• Open or stealth ports, shaping your firewall policy with just a few mouse clicks
  
• Enable port forwarding for your local network in just seconds
  
• Option to whitelist or blacklist traffic
  
• Real time firewall events view
  
• View active network connections, including any traffic routed through the firewall
  
• Advanced Linux kernel tuning features provide protection from flooding, broadcasting and spoofing
  
• Support for tuning ICMP parameters to stop Denial of Service (DoS) attacks
  
• Support for tuning QoS parameters to improve services for connected client computers
  
• Ability to hook up user defined scripts or rule sets before or after firewall activation
  
• Supports Linux Kernels 2.4 and 2.6
  
• Translations available for many languages (38 languages as of November 2004)
  

Zorp GPL

Zorp is a new generation proxy firewall suite and as such its core architecture is built around today's security demands: it uses application level proxies, it is modular and component based, it uses a script language to describe policy decisions, it makes it possible to monitor encrypted traffic, it let's you override client actions, it let's you protect your servers with its built in IDS capabilities... The list is endless. It gives you all the power you need to implement your local security policy.

• Using script language as configuration and decision language(Python)
  
• Supported protocols:
  
  
  
  • HTTP/1.1
    
  • FTP
    
  • SSL
    
  • finger
    
  • plug
    
  • whois
    
  • telnet
    
  
  
• Utilizing modular application gateways
  
• Able to analyze sub-protocols (for example HTTP in SSL)
  
• Can add/remove packet filter rules on-demand
  
• You can write your own proxy modules in Python if a native version is not available
  

Turtle

Turtle Firewall is a software which allows you to realize a Linux firewall in a simply and fast way. It's based on Kernel 2.4.x and Iptables. Its way of working is easy to understand: you can define the different firewall elements (zones, hosts, networks) and then set the services you want to enable among the different elements or groups of elements. You can do this simply editing a XML file or using the comfortable web interface, Webmin.

• ZONES, NETWORKS, HOSTS and GROUPS definitions.
  
• Filter rules definitions based on services.
  
• New services definitions.
  
• NAT (Network Address Translation)
  
• Masquerading
  

LutelWall

LutelWall is high-level Linux firewall configuration tool. It uses human-readable and easy to understand configuration to set up Netfilter in the most secure way. The flexibility of LutelWall allows firewall adminstrators build very simple, single-homed firewalls, and most complex ones - with multiple subnets, DMZ's and traffic redirections.

LutelWall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone system. Configuration method of this firewall is designed to be as simple as possible without loosing Netfilter flexibility and its security features.

LutelWall is a Linux IPtables shell script written in bash for use as a stateful firewall and NAT/masquerade router for single or multiple subnets networks.

LutelWall makes use of the netfilter code in the 2.4 Linux kernel and is more robust and configurable than an equivalent IPchains script

• Traffic features:
  
  
  
  • Flexible control over traffic using rule set
    
  • User-defined protocols support
    
  • Support for any kind multiple external and internal interfaces (and aliases)
    
  • Automated MASQUERADE / SNAT support
    
  • Easy to set up DNAT (transparent proxy, redirections to LAN/DMZ etc.)
    
  • Rate limit extensions
    
  • Packet marking for 3rd party shapers
    
  • TOS (Type of Service) traffic optimizer
    
  • Both passive and active FTP support
    
  • DHCP support
    
  • Can work as "workstation" firewall
    
  
  
  
• Security features:
  
  
  
  • Stateful TCP connection tracking with restrictive TCP chain
    
  • Blocking all stealth mode scans (FIN, Xmas Tree, Null, Windows scan or ACK scan modes (nmap -sF -sX -sN -sW -sA)
    
  • Blocking IP protocol scans (nmap -sO)
    
  • Blocking UDP scans (nmap -sU)
    
  • Blocking identification via TCP/IP fingerprinting (nmap -O)
    
  • Anti-spoof protection, including protection for aliases
    
  • Anti-smurf protection
    
  • TCP SYN Flood protection
    
  • UDP / ICMP Flood protection
    
  • IANA reserved addresses checking
    
  • SYSCTL parameters set for increased strength
    
  
  
  
• Logging features:
  
  
  
  • Logging stealth scans (FIN, Xmas Tree, Null), ACK scan modes (nmap -sF -sX -sN), IP protocol scans (nmap -sO), UDP scans (nmap -sU), nmap fingerprinting attempts.
    
  
  
  
• Other features:
  
  
  
  • Autodetect of connection type (static/dynamic, external/internal)
    
  • Auto update of firewall tool
    
  • Auto update IANA reserved list
    
  • Display firewall statistics in iptables native, csv or html format
    
  • Easy deployment on all distributions
    
  
  

floppyfw

floppyfw is a router with the advanced firewall-capabilities in Linux that fits on one single floppy disk.

• Access lists, IP-masquerading (Network Address Translation), connection tracked packet filtering and (quite) advanced routing. Package for traffic shaping is also available.
  
• Requires only a 386sx or better with two network interface cards, a 1.44MB floppy drive and 12MByte of RAM (for less than 12M and no FPU, use the 1.0 series, which will stay maintained.)
  
• Very simple packaging system. Is used for editors, PPP, VPN, traffic shaping and whatever comes up.
  
• Logging through klogd/syslogd, both local and remote.
  
• Serial support for console over serial port.
  
• DHCP server and DNS cache for internal networks.