What's your firewall flavor?

What do you run, soft or hard firewall? What do you like about it, what do you hate?

Or maybe you are shopping for a new firewall solution and want to know what is out there for you.

I'm polling the denizens of Dev Hardware to see what everyone is using right now and I want to hear about your setups, hangups and given-ups pertaining to network protection.

Right now I am running Smoothwall Express version 3.0 (SWE 3) on a P4 1.5GHz with 512MB RAM and a 16GB hard drive. It's in a R-G-P configuration (RED is my PPoE interface to the DSL modem, GREEN is the secure internal LAN, and PURPLE is the guest wireless and other computers that don't need access to the GREEN network like my solar monitor and folding farm.). I have a combination of Ubuntu, Win XP Pro and Vista (yuk!) desktops and laptops on the internal LAN. I am using DansGuardian in an add-on mod for content screening with three distinct groups (adult, teen, child).

My biggest gripe with SWE 3 is the DansGuardian add-on... it doesn't have a nice GUI yet and it has been a pain for me to get it configured correctly. Hopefully the GUI will be implemented soon, but right now they are trying to standardize the add-on modules to make installations/upgrades easier and such and that will result in a rewritten DG mod.

Errr.. where's the option for no firewall? I know I know, bad drumzy. I disabled window's firewall because honestly, the only thing it stops is me from doing legitimate things. I used to be a huge fan of Zone Alarm, but I've heard that it's gone down the toilet in recent years. Maybe this thread will help me find a good firewall so I can actually install one and not just rely on my antivirus for catching stuff.

Good idea, that! I'm debating with myself whether installing F@H on my firewall is a good idea or not.

How many firewalls you got, 'Hyena?

Alright. So let's begin. I did not check a few of those boxes just randomly.

I've missed almost with all of those enumerated. For home usage I'd definitely recommend Smoothwall. Their support forums are quite responsive, there are lots of common situations already answered so finding solutions turns out a piece of cake most of the time, while it also works efficiently, and it is very modular. You can expand it with lots of plugins, extensions, and so forth.

pfSense is also worth checking out, it's a robust firewall solution based on FreeBSD. It can act both as a firewall and router. This is an amazing capability because if configured well on a half-decent Linux machine it can run like a few-thousand dollars worth Cisco router. Or let alone Cisco Concentrator - it also supports VPN via OpenVPN. Now this may not mean that much in a home environment, but it also supports redundancy, load balancing, NAT, and all that. So this is why it's a pretty damn good suite to run in a small-to-medium corporation if the sysadmins are willing to go open source, make the management smile sarcastically (like suggesting a salary bonus instead of a 8,000$ Cisco solution, lol), and you name it. Check out its extensive list of features - link.

While Smoothwall is a bit of beginner-oriented, pfSense requires every now and then, especially if you want to do a great job configuring it appropriatelly, dwelling on things and actually reading the documentations. I'd say pfSense is a bit for the more experienced Linux user that can get his way easily around the OS, so additionally configuring this tool won't become a nightmare this way. While even a beginner with little-to-no experience under Linux can follow the instructions and have a Smoothy installation up and running much easier.

As for other commercial solutions - I've had great experiences with Kaspersky, including their AV. For home usage it's a no-no, why; you ask? Because they are expensive, that's all. For business-usage they are quite alright. At least we're relying on them for years and never had problems. Remote monitoring, management, remote deployment, centralized updates, extensive logging, mailing those through an SMS server/simple mailbox, etc. While their price tag is quite high, I'd say they are doing a great job at securing corporations with their solutions - though, as of recently (february 8th or so) their website was apparently hacked by a Romanian guy. He reported the vulnerability and they patched the hole in less than 20 minutes.

As for other commercial devices - it's a no-brainer that Cisco devices are amazing. Even a little PIX that dates back to 2003 is such a phenomenal tiny device that is able to route dozens of megabits, apply NAT, act as a firewall, and basically do anything that one might need in a small network of 20-100 computers. Sure the other top-end Cisco devices are also undoubtedly freaking good. But once again, they are affordable and worth only in business infrastructures.

Like we discussed in TLTE - for your needs, D1, I'd say either stick to Smoothwall because you already know your way around even blindfolded, or if you are willing to pass on new fields then check out pfSense. Good luck.

I will have to look into Smoothwall too, by the sounds of things.

I've been using the Windows Firewall in conjunction with Kerio for years now, never had any problems/viruses/trojans.... I mean never!

Now that I have my new build I am still debating whether to throw Kerio back on, or to find another solution. I don't really know much about firewalls, but your post was great, Tony.

I currently use Zone Alarm and Windows firewall on pc's in my house.

Using alongside Avast, Spybot & Adaware I haven't had any problems so far.

I used to use Norton's Internet package but it was too damn resource hogging and made my pc run noticeably slower.

I run pfSense on a dual p2 450. Why do I like it? It makes it easy to dual WAN while providing very extensive yet easy configuration via a GUI. It is BSD based, and does not have huge hardware requirements at all.

It doesn't have huge hardware requirements, yet you are running it on a dual P2?

My SWE 2.0 ran for years on a single P2 250.

SWE 3.0 required a P4, though.

I'm running a dual p2 because it's the crappiest hardware I got

Excuse me... but, Zone Alarm is a joke. It's not resource-efficient, neither secure, nor solid, or reliable for that matter. Kerio are also far from being recognized as a powerful firewall solution. For general home usage, it's surely better than having no firewall at all. At least IIRC it does not hogs the system, but perhaps therein lies the fact it does little-to-nothing.

And Windows Firewall does barely scratches the tip of the iceberg of the entire firewall concept; the only great thing it's really good about is annoying the user. It's exactly like Office's annoying animated clippy. Every prestigious company that respects itself disables the Windows Firewall via group policies.

Bottom-line, I agree with weevil. pfSense is awesome. On another note, even the classic iptables (ipfilter) is powerful enough.

i'm running endian on a p3 w/ 256 mb ram. i think the part i like about it the most is the integrated content and virus filtering. i don't really have a need for filtering; but, i use it to filter out advertisements.

a while back, i used monowall, then switched to pfsense since monowall was focusing primarily on embedded devices, which is why it split to pfsense. if i were ever to host my own stuff (web, email, etc.), i would probably use pfsense instead of buying a cisco router.

one of my friend's recently turned me on to untangle. it's similar to endian except it's better maintained.

http://www.untangle.com/

Thanks for advising it. I am going to include this one too in one of my future articles covering open-source firewall solutions.

anything for you my friend that lives 4,658 miles away from from me.

I'm currently running Smoothwall on a 1.8GHz P4 with 512MB RAM.

For several years, before DSL was available here, I ran LRP (Linux Router Project) on a 486-33. It was set up to boot from a single write-protected floppy into ramdisk. It acted as a dial-on-demand router for my 10Mb LAN: when packets destined for an outside address were detected, it dialed-up on the external modem to my ISP, then dropped the connection after a period of inactivity. For what it was, it worked well for me. It is apparently no longer maintained.

Ben N1NP