Free server software firewall software for linux

Simple IPTABLES firewall is a very simple firewall constructed with basic iptables commands. It is meant to be a guideline only, since any firewall is specific to the services the host offers, and the services the administrator permits local users to use.

NOTE: As is, the script only allows ident (port 113) requests, ftp only works in PASV mode from the client side, IRC DCC sends and chats initiated from behind the firewall are blocked, but incoming DCC requests work (hint: to DCC chat from behind this firewall, use /ctcp nick chat). ICQ is also broken in a few ways, although you can send messages.

This is a self contained script, and it assumes kernel support, and modules.

Turtle Firewall is a software which allows you to realize a Linux firewall in a simply and fast way.
Turtle Firewall project is based on Kernel 2.4.x and Iptables. Its way of working is easy to understand: you can define the different firewall elements (zones, hosts, networks) and then set the services you want to enable among the different elements or groups of elements.
You can do this simply editing a XML file or using the comfortable web interface Webmin.
Turtle Firewall is an Open Source project written using the perl language and realeased under GPL version 2.0 by Andrea Frigido (Frisoft).
Main features:
- ZONES, NETWORKS, HOSTS and GROUPS definitions.
- Filter rules definitions based on services.
- New services definitions.
- NAT
- Masquerading

Gibraltar Firewall is a firewall and router package, based on Debian/GNU Linux, which perfectly meets all individual requirements for a state-of-the-art firewall.
Independent of the kind of Internet connection (dedicated line, ADSL, dial-up connection), Gibraltar provides for secure connections. So you can turn to something more important without ruffle and worries - your job!
Gibraltar is free for private use. The private license is restricted to a maximum of 5 concurrent connections and includes the easy-to-use webinterface. For obtaining a private license, please contact us via email.
Attention: Without a valid license file, Gibraltar will not run properly!
For the private use of Gibraltar, no claim on support or guarantee can be raised.
All ISO images are copyright of Rene Mayrhofer and eSYS Information Systems GmbH, but may be copied and distributed freely. Several components of Gibraltar are under GPL or BSD license. For detailed usage licenses read the packet documentations under /usr/share/doc on the ISO image.
If you would like to distribute Gibraltar commercially, please refer to our partner program.
Gibraltar can be completely configured with the web-based configuration tool GibADMIN. The configuration of Gibraltar occurs over an encoded, secured connection, and can be done with any browser. The web-interface is designed intuitional and concise, and enables the administrator to change the configuration very easy and quick.
Gibraltar convinces through jutting flexibility and extensive functionality.
Main features:
- SYSTEM
- Live CD technology: Gibraltar boots and runs fully off CD-ROM
- No hard disk installation required
- Specially hardened Linux kernel
- Languages: English, German, Finnish
- Remote configuration with web interface (SSL 128 Bit) or remote login (SSH)
- Easy configuration management
- Automatic live updates: interval can be configured
- NETWORK SUPPORT
- Ethernet: 10/100/1000 MBit/s: static or DHCP, virtual IP addresses
- ADSL Ethernet modems: PPP over Ethernet, PPTP
- ADSL USB modems: PPP over ATM
- Modem dial in: serial, USB
- Unlimited number of network interfaces
- STATEFUL PACKET INSPECTION
- Protocol support: ICMP, TCP, UDP, GRE, ESP, AH, IPv4-over-IPv6
- Flexible packet filter: interface, MAC address, IP address, service, port,....
- NAT: Network address translation: dynamic and static
- PAT: Port address translation: load balancing (Round Robin)
- Free definition of aliases and groups: addresses and ports
- DoS/flood - protection: predefined, expandable
- Randomized IP sequencing
- Selective TTL manipulation
- Protocol pass through: PPTP, FTP, H.323, IRC
- VPN (VIRTUAL PRIVATE NETWORKS)
- VPN IPSec gateway
- VPN PPTP server: MPPE 128 Bit data encryption
- Network-to-network VPN
- Network-to-client VPN: compatible with Microsoft Windows 2000 / XP
- Unlimited number of VPN tunnels
- Authentication with PSK (Private shared key) and X.509 certificates
- Encryption: 3DES, Blowfish, Twofish, AES, CAST, Serpent
- Authentication PPTP: CHAP, MS-CHAPv1, MS-CHAPv2
- NAT traversal
- Perfect forward secrecy (PFS)
- DEEP PACKET INSPECTION
- Secure SMTP relay: incoming, outgoing, attachment blocking, block lists, antivirus and spam protection
- Transparent HTTP proxy: no client configuration necessary, spam protection
- User authentication: user list, active directory integration, LDAP
- Content caching
- Content scanning: antivirus, cookies, active X, java script
- FTP proxy: transparent outgoing, incoming
- Transparent POP3 proxy: antivirus, spam protection and protection of dangerous attachments
- ADDITIONAL SERVICES
- Dynamic DNS
- DHCP server
- Secure DNS resolve
- SSL wrapper for arbitrary services
- Portscan detection
- Antispam filter: rule based, Bayes, RBL, Razor and DCC
- ClamAV virus scanner
- OPTIONAL: Kaspersky virus scanner

LutelWall (formerly known as Lutel Firewall) is high-level linux firewall configuration tool. It uses human-readable and easy to understand configuration to set up Netfilter in most secure way. Its flexibility allows firewall admins build from very simple, single-homed firewalls, to most complex ones - with multiple subnets, DMZs and traffic redirections. It can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone system. Configuration method of this firewall is made to be as simple as possible without loosing Netfilter flexibility and its security facilities.
Main features:
- flexible control over traffic using rule set
- user-defined protocols support
- support for any kind multiple external and internal interaces (and aliases)
- automated MASQUERADE / SNAT support
- easy to set up DNAT (transparent proxy, redirections to LAN/DMZ etc.)
- rate limit extensions
- packet marking for 3rd party shapers
- TOS (Type of Service) traffic optimizer
- both passive and active FTP support
- DHCP support
- can work as "workstation" firewa
- stateful TCP connection tracking with restrictive TCP chain
- blocking all stealth mode scans (FIN, Xmas Tree, Null, Windows scan or ACK scan modes (nmap -sF -sX -sN -sW -sA)
- blocking IP protocol scans (nmap -sO)
- blocking UDP scans (nmap -sU)
- blocking identification via TCP/IP fingerprinting (nmap -O)
- anti-spoof protection, including protection for aliases
- anti-smurf protection
- TCP SYN Flood protection
- UDP / ICMP Flood protection
- IANA reserved addresses checking
- SYSCTL parameters set for increased strength
- logging stealth scans (FIN, Xmas Tree, Null), ACK scan modes (nmap -sF -sX -sN), IP protocol scans (nmap -sO), UDP scans (nmap -sU), nmap fingerprinting attempts.
- autodetect of connection type (static/dynamic, external/internal)
- auto update of firewall tool
- auto update IANA reserved list
- display firewall statistics in iptables native, csv or html format
- easy deployment on all distributions
Enhancements:
- fixed iptables version checking

links2world Firewall is a very simple tool writen in C, that helps you generate iptables rules for Linux 2.4.x and newer kernels. Released under GNU General Public License, it is very easy to configure and designed to run on hosts with one or more network interfaces.
Furthermore, they are able to generate iptables rulesets for one or maximum two network interfaces.
Most of the existing iptables script generators are shell scripts. You have to dig in and to look through entire script in order to customize and configure it for your needs.
On the other hand, links2world Firewall uses a very human readable configuration file that is very easy to understand and write. Still more, it does not matter if you have one, two, three or twenty network interfaces, links2world Firewall is able to generate statefull iptables rulesets able to control the packet flows between all the networks your machine is connected to.
Enhancements:
- minor fixes that solved compilation errors when using older compiles

Script for a dual-homed firewall script is intended to setup a masquerading firewall based on the IPTABLES (Net)filter-machanism of Linux 2.3.15+
Syslogging matches fireparse for graphical output (see http://www.fireparse.com)
Normally this script will work out-of-the-box, but you should adapt it to your own needs (At least you should set the correct default interfaces --> see Default-Interfaces section)
Syntax to invoke script: firewall (start|stop|restart|status) EXTIF INTIF
Example: "firewall start ppp0 eth0"
Enhancements:
- Added a few comments

Very restrictive set of firewall rules script is a sample firewall for ip_tables, the tool for doing firewalling and masquerading under the 2.3.x/2.4.x series of kernels.

Be warned, this is a very restrictive set of firewall rules (and they should be, for proper security). Anything that you do not _specifically_ allow is logged and dropped into /dev/null, so if youre wondering why something isnt working, check /var/log/messages.

This is about as close as you get to a secure firewall. Its nasty, its harsh, and it will make your machine nearly invisible to the rest of the internet world. Have fun.

To run this script you must chmod 700 iptables-script and then execute it. To stop it from running, run iptables -F

Sample:

#Point this to your copy of ip_tables
IPT="/usr/local/bin/iptables"

#Load the module.
modprobe ip_tables

#Flush old rules, delete the firewall chain if it exists
$IPT -F
$IPT -F -t nat
$IPT -X firewall

#Setup Masquerading. Change the IP to your internal network and uncomment
#this in order to enable it.
#$IPT -A POSTROUTING -t nat -s 192.168.1.0/24 -j MASQUERADE
#$IPT -P FORWARD ACCEPT
#echo 1 > /proc/sys/net/ipv4/ip_forward

#Set up the firewall chain
$IPT -N firewall
$IPT -A firewall -j LOG --log-level info --log-prefix "Firewall:"
$IPT -A firewall -j DROP

#Accept ourselves
$IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#If youre using IP Masquerading, change this IP to whatever your internl
#IP addres is and uncomment it
#$IPT -A INPUT -s 192.168.1.1/32 -d 0/0 -j ACCEPT

#Accept DNS, cause its warm and friendly
$IPT -A INPUT -p udp --source-port 53 -j ACCEPT
$IPT -A INPUT -p tcp --source-port 113 -j ACCEPT
$IPT -A INPUT -p tcp --destination-port 113 -j ACCEPT

#Allow ftp to send data back and forth.
$IPT -A INPUT -p tcp ! --syn --source-port 20 --destination-port 1024:65535 -j ACCEPT

#Accept SSH. Duh.
#$IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT

#Send everything else ot the firewall.
$IPT -A INPUT -p icmp -j firewall
$IPT -A INPUT -p tcp --syn -j firewall
$IPT -A INPUT -p udp -j firewall

InJoy Firewall is a flexible firewall security solution for businesses of any size. It offers preconfigured policy templates, including full customization options, IPSec VPN integration, gateway capabilities, intuitive management, access control, many documented deployment examples, and comprehensive documentation.

Without question, the Linux Operating System provides a proven and cost-effective platform, as well as a wealth of high-quality open source software. For business use, however, it often proves difficult to find supported linux firewall solutions that provide the required level of confidence, reliability and trust. With the InJoy Firewall™, businesses can benefit from Linux without having to give up the safety of a responsible vendor and a traditional business relationship.

Security as never before — the InJoy Firewall™ for Linux provides customers with next generation intrusion and anomaly detection. These technologies provides network administrators with the ultimate tools to keep track of network activity and eliminate Internet threats of any type.

As a busy and responsible network administrator, you will find great relief in the InJoy Firewall™. As the only Linux firewall, it is designed from the ground up to be self-contained, thus ensuring optimal performance and minimum impact from third-party problems. This means you dont have to worry about dependencies with Linux connectivity software, software libraries or kernel compilation.


Manage your remote Linux-based Firewall Server from your Windows-based desktop (or any other supported Operating Systems), using the intuitive InJoy firewall™ GUI. Linux users that prefer plain-text configuration can opt for that with the InJoy firewall™ as well.

The InJoy firewall™ works the same under all the supported operating systems, meaning you can deploy a complete and unified protection strategy throughout the business and effortlessly set up fully capable VPNs without having to worry about interoperability issues.

The InJoy firewall™ installs in minutes and can be prepared for distributed, company-wide deployment, using the same simple installation scripts everywhere.