Free astaro firewall software for linux

Gibraltar Firewall is a firewall and router package, based on Debian/GNU Linux, which perfectly meets all individual requirements for a state-of-the-art firewall.
Independent of the kind of Internet connection (dedicated line, ADSL, dial-up connection), Gibraltar provides for secure connections. So you can turn to something more important without ruffle and worries - your job!
Gibraltar is free for private use. The private license is restricted to a maximum of 5 concurrent connections and includes the easy-to-use webinterface. For obtaining a private license, please contact us via email.
Attention: Without a valid license file, Gibraltar will not run properly!
For the private use of Gibraltar, no claim on support or guarantee can be raised.
All ISO images are copyright of Rene Mayrhofer and eSYS Information Systems GmbH, but may be copied and distributed freely. Several components of Gibraltar are under GPL or BSD license. For detailed usage licenses read the packet documentations under /usr/share/doc on the ISO image.
If you would like to distribute Gibraltar commercially, please refer to our partner program.
Gibraltar can be completely configured with the web-based configuration tool GibADMIN. The configuration of Gibraltar occurs over an encoded, secured connection, and can be done with any browser. The web-interface is designed intuitional and concise, and enables the administrator to change the configuration very easy and quick.
Gibraltar convinces through jutting flexibility and extensive functionality.
Main features:
- SYSTEM
- Live CD technology: Gibraltar boots and runs fully off CD-ROM
- No hard disk installation required
- Specially hardened Linux kernel
- Languages: English, German, Finnish
- Remote configuration with web interface (SSL 128 Bit) or remote login (SSH)
- Easy configuration management
- Automatic live updates: interval can be configured
- NETWORK SUPPORT
- Ethernet: 10/100/1000 MBit/s: static or DHCP, virtual IP addresses
- ADSL Ethernet modems: PPP over Ethernet, PPTP
- ADSL USB modems: PPP over ATM
- Modem dial in: serial, USB
- Unlimited number of network interfaces
- STATEFUL PACKET INSPECTION
- Protocol support: ICMP, TCP, UDP, GRE, ESP, AH, IPv4-over-IPv6
- Flexible packet filter: interface, MAC address, IP address, service, port,....
- NAT: Network address translation: dynamic and static
- PAT: Port address translation: load balancing (Round Robin)
- Free definition of aliases and groups: addresses and ports
- DoS/flood - protection: predefined, expandable
- Randomized IP sequencing
- Selective TTL manipulation
- Protocol pass through: PPTP, FTP, H.323, IRC
- VPN (VIRTUAL PRIVATE NETWORKS)
- VPN IPSec gateway
- VPN PPTP server: MPPE 128 Bit data encryption
- Network-to-network VPN
- Network-to-client VPN: compatible with Microsoft Windows 2000 / XP
- Unlimited number of VPN tunnels
- Authentication with PSK (Private shared key) and X.509 certificates
- Encryption: 3DES, Blowfish, Twofish, AES, CAST, Serpent
- Authentication PPTP: CHAP, MS-CHAPv1, MS-CHAPv2
- NAT traversal
- Perfect forward secrecy (PFS)
- DEEP PACKET INSPECTION
- Secure SMTP relay: incoming, outgoing, attachment blocking, block lists, antivirus and spam protection
- Transparent HTTP proxy: no client configuration necessary, spam protection
- User authentication: user list, active directory integration, LDAP
- Content caching
- Content scanning: antivirus, cookies, active X, java script
- FTP proxy: transparent outgoing, incoming
- Transparent POP3 proxy: antivirus, spam protection and protection of dangerous attachments
- ADDITIONAL SERVICES
- Dynamic DNS
- DHCP server
- Secure DNS resolve
- SSL wrapper for arbitrary services
- Portscan detection
- Antispam filter: rule based, Bayes, RBL, Razor and DCC
- ClamAV virus scanner
- OPTIONAL: Kaspersky virus scanner

Turtle Firewall is a software which allows you to realize a Linux firewall in a simply and fast way.
Turtle Firewall project is based on Kernel 2.4.x and Iptables. Its way of working is easy to understand: you can define the different firewall elements (zones, hosts, networks) and then set the services you want to enable among the different elements or groups of elements.
You can do this simply editing a XML file or using the comfortable web interface Webmin.
Turtle Firewall is an Open Source project written using the perl language and realeased under GPL version 2.0 by Andrea Frigido (Frisoft).
Main features:
- ZONES, NETWORKS, HOSTS and GROUPS definitions.
- Filter rules definitions based on services.
- New services definitions.
- NAT
- Masquerading

InJoy Firewall is a flexible firewall security solution for businesses of any size. It offers preconfigured policy templates, including full customization options, IPSec VPN integration, gateway capabilities, intuitive management, access control, many documented deployment examples, and comprehensive documentation.

Without question, the Linux Operating System provides a proven and cost-effective platform, as well as a wealth of high-quality open source software. For business use, however, it often proves difficult to find supported linux firewall solutions that provide the required level of confidence, reliability and trust. With the InJoy Firewall™, businesses can benefit from Linux without having to give up the safety of a responsible vendor and a traditional business relationship.

Security as never before — the InJoy Firewall™ for Linux provides customers with next generation intrusion and anomaly detection. These technologies provides network administrators with the ultimate tools to keep track of network activity and eliminate Internet threats of any type.

As a busy and responsible network administrator, you will find great relief in the InJoy Firewall™. As the only Linux firewall, it is designed from the ground up to be self-contained, thus ensuring optimal performance and minimum impact from third-party problems. This means you dont have to worry about dependencies with Linux connectivity software, software libraries or kernel compilation.


Manage your remote Linux-based Firewall Server from your Windows-based desktop (or any other supported Operating Systems), using the intuitive InJoy firewall™ GUI. Linux users that prefer plain-text configuration can opt for that with the InJoy firewall™ as well.

The InJoy firewall™ works the same under all the supported operating systems, meaning you can deploy a complete and unified protection strategy throughout the business and effortlessly set up fully capable VPNs without having to worry about interoperability issues.

The InJoy firewall™ installs in minutes and can be prepared for distributed, company-wide deployment, using the same simple installation scripts everywhere.

SINUS project is a application which assess the potential of security without obscurity.
The SINUS Firewall is a TCP/IP packet filter for the Linux operating system. It is distributed under the GNU General Public Licence and comes with complete source code, as the Linux operating system does.
The SINUS firewall is a free and easy way to protect your network from the malware of the Internet. It does not guarantee perfect security, however it comes with a wealth of features, including:
Filtering of all header fields in the IP, TCP, UDP, ICMP, IGMP packets.
Intelligent RIP and FTP support.
Easy to understand, text-based configuration.
Graphical management interface for configuration of several firewalls.
Dynamic rules, including counters and time-outs.
Extensive logging, alerting, and counter intelligence.
Prevention of packet and address spoofing - GNU GPL license.
To install the software, you need a Linux 2.0.x based system. We suggest you install a bare-bone system without X or any of the other nifty features which tend to have security holes. You should not install user accounts on the firewall system. Log-ins other than from the console should be forbidden (if you absolutely have to log in remotely, we strongly suggest you install a copy of ssh).
Although the software has been subject to thorough testing, and has been continuously running without crashes for over 12 months, we are confident someone will eventually unconver A BUG in the software. Therefore, it is version "0.1".
Please do not use this software as the sole means to protect your top secret data. This software is intended for:
People who want to study firewalls
People who dont trust their current firewall
People who currently dont have any protection at all (even if there are serious bugs, it cannot get worse, can it?)
Enhancements:
- NEW FEATURES
- user level authentification between firewall and management interface
- compiles and runs on libc6 (glibc2) systems.
- CHANGES
- management interface now written as Java application (JDK 1.1.6)
- detect land attack
- changed name from sf to sifi (SINUS firewall) due to change of maintainer (now Harald Weidner ).
- BUG FIXES
- TCP RST of established connections now pass through the firewall
- fixed a segfault bug in the passive FTP code

LutelWall (formerly known as Lutel Firewall) is high-level linux firewall configuration tool. It uses human-readable and easy to understand configuration to set up Netfilter in most secure way. Its flexibility allows firewall admins build from very simple, single-homed firewalls, to most complex ones - with multiple subnets, DMZs and traffic redirections. It can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone system. Configuration method of this firewall is made to be as simple as possible without loosing Netfilter flexibility and its security facilities.
Main features:
- flexible control over traffic using rule set
- user-defined protocols support
- support for any kind multiple external and internal interaces (and aliases)
- automated MASQUERADE / SNAT support
- easy to set up DNAT (transparent proxy, redirections to LAN/DMZ etc.)
- rate limit extensions
- packet marking for 3rd party shapers
- TOS (Type of Service) traffic optimizer
- both passive and active FTP support
- DHCP support
- can work as "workstation" firewa
- stateful TCP connection tracking with restrictive TCP chain
- blocking all stealth mode scans (FIN, Xmas Tree, Null, Windows scan or ACK scan modes (nmap -sF -sX -sN -sW -sA)
- blocking IP protocol scans (nmap -sO)
- blocking UDP scans (nmap -sU)
- blocking identification via TCP/IP fingerprinting (nmap -O)
- anti-spoof protection, including protection for aliases
- anti-smurf protection
- TCP SYN Flood protection
- UDP / ICMP Flood protection
- IANA reserved addresses checking
- SYSCTL parameters set for increased strength
- logging stealth scans (FIN, Xmas Tree, Null), ACK scan modes (nmap -sF -sX -sN), IP protocol scans (nmap -sO), UDP scans (nmap -sU), nmap fingerprinting attempts.
- autodetect of connection type (static/dynamic, external/internal)
- auto update of firewall tool
- auto update IANA reserved list
- display firewall statistics in iptables native, csv or html format
- easy deployment on all distributions
Enhancements:
- fixed iptables version checking

UTIN Firewall script project is a script for Linux 2.4.x and iptables.

###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.

#
# your LANs IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# INET_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you dont have a static
# IP, I suggest not using this option at all for now but its still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)

LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"

LO_IFACE="lo"
LO_IP="127.0.0.1"

INET_IP="194.236.50.155"
INET_IFACE="eth0"

IPTABLES="/usr/local/sbin/iptables"

#########
# Load all required IPTables modules
#

#
# Needed to initially load modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

#
# Support for owner matching
#
#/sbin/modprobe ipt_owner

#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

#
# Enable ip_forward, this is critical since it is turned off as defaul in
# Linux.
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we dont want.
#

$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# Do some checks for obviously spoofed IPs
#

$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
$IPTABLES -A bad_tcp_packets -i $LAN_IFACE ! -s 192.168.0.0/16 -j DROP

#
# Bad TCP packets we dont want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward between interfaces.
#

$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "


#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# The allowed chain for TCP connections
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# INPUT chain
#
# Bad TCP packets we dont want
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for incoming packets from anywhere
#

$IPTABLES -A INPUT -p ICMP -j icmp_packets
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# OUTPUT chain
#
#
# Bad TCP packets we dont want
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets


$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

links2world Firewall is a very simple tool writen in C, that helps you generate iptables rules for Linux 2.4.x and newer kernels. Released under GNU General Public License, it is very easy to configure and designed to run on hosts with one or more network interfaces.
Furthermore, they are able to generate iptables rulesets for one or maximum two network interfaces.
Most of the existing iptables script generators are shell scripts. You have to dig in and to look through entire script in order to customize and configure it for your needs.
On the other hand, links2world Firewall uses a very human readable configuration file that is very easy to understand and write. Still more, it does not matter if you have one, two, three or twenty network interfaces, links2world Firewall is able to generate statefull iptables rulesets able to control the packet flows between all the networks your machine is connected to.
Enhancements:
- minor fixes that solved compilation errors when using older compiles

PCX Firewall is an IPTables firewalling solution that uses Perl to generate static shell scripts based upon the users configuration settings.
This allows the firewall to startup quickly, as it does not have to parse config files every time it starts.
Enhancements:
- All known bugs have been fixed. Support has been added for Debian Sarge and Red Hat FC[1-3] as "official" distributions to work with when generating init scripts. The ability has been added to just install the generated firewall script into /etc/init.d or /etc/pcx-firewall without starting it.