We have a long history in using different open source Firewall appliances. Our focus is mainly on IPFire but we also have experience with Opnsense. IPFire is a hardened open source Linux distribution that primarily performs as a router and a firewall; a standalone firewall system with a web-based management console for configuration.
- Security: The primary objective of IPFire is security. Its easy to configure firewall engine and Intrusion Detection System prevent any attackers from breaking into your network. In the default configuration, the network is split into various zones with different security policies such as a LAN and DMZ to manage risks inside the network and have custom configuration for the specific needs of each segment of the network. But even the firewall needs to protect itself. IPFire is built from scratch and not based on any other distribution. This allows the developers to harden IPFire better than any other server operating system and build all components specifically for use as a firewall.
- Frequent updates keep IPFire strong against security vulnerabilities and new attack vectors.
- Firewall: IPFire employs a Stateful Packet Inspection (SPI) firewall, which is built on top of Netfilter, the Linux packet filtering framework. It filters packets fast and achieves throughputs of up to multiple tens of Gigabit per second.
- Its intuitive web user interface allows to create groups of hosts and networks which can be used to keep large set of rules short and tidy – something very important in complex environments with strict access control. Logging and graphical reports give great insight.
- Various settings are available to mitigate and block Denial-of-Service attacks by filtering them directly at the firewall and not allowing them to take down your servers.
- Intrusion Detection/Prevention System: IPFire’s Intrusion Detection System (IDS) analyzes network traffic and tries to detect exploits, leaking data and any other suspicious activity. Upon detection, alerts are raised and the attacker is immediately blocked.
- Virtual Private Networks (VPNs) connect remote locations like data centers, branch offices or outsourced infrastructure via an encrypted link. IPFire allows staff to work remotely as if they would be sitting in the office and allowing them to access all resources that they need – fast and securely. IPFire supports industry standards like IPsec and OpenVPN and interoperates with equipment from various vendors like Cisco & Juniper. VPNs are quickly and easily set up with IPFire and employ latest cryptography.
- Add-ons: From a technical point of view, IPFire is a minimalistic, hardened operating system. To provide more functionality, it can be extended by add-ons which are installed with IPFire’s own package management system called Pakfire. Add-ons can be handy command line tools for administrators or can extend the system to provide additional functionality. Those include:
- Turning IPFire into a Wireless Access Point
- Tools for Monitoring and System Health Management
- Backup, File and Print Services
- Running a Tor node
- Proxies and Relays for various protocols
- and many more…
- Making Your Internet Faster: The IPFire Quality of Service (QoS) categorizes network traffic and sends it out prioritized by how important it is to ensure a good service. For example, a Voice-over-IP call will always have priority over a large download to ensure that words will never get lost and call quality is always the best it can be.
- Web proxy: One of the most commonly used features of IPFire is the full-fledged web proxy. It delivers and filters web content and can only allow Internet access for some users. Caching content on the firewalls disk makes websites load faster. External regularly updated blacklists allow banning browsing on various websites when they are for example not suitable for students. Optionally, the IPFire web proxy can transparently scan for viruses and block them straight away.