0

Remote management is essential if you have to run more than three network devices, and is supported by all commercial firewall products. For example:

Palo Alto Networks:

In addition to control and security capability, our next-generation firewalls are designed for operations. Our simple, straightforward user interface complements the straightforward architecture. Automation and integration into larger systems (e.g., automated provisioning, SDN) is supported by our XML API.

Juniper:

Juniper Networks devices running the Junos® operating system (Junos OS) support comprehensive automation facilities. Almost all aspects of the operation of your network can be managed programmatically or with scripts.

Yet a cursory search of open-source firewalls uncovered little evidence that they can be remotely managed. With one exception, they brag about their GUIs while completely ignoring network operations. For example:

IPFire

Since IPFire 2.15, the firewall capabilities of the IPFire system have been massively improved. A lot of new features have been introduced which require a lot more powerful GUI.

Question: Are there any open source firewalls other than OPNsense that are usable in managed networks?

I've glanced at:

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Dave
  • 105
  • 4
  • Unfortunately, product (or feature) reviews are off-topic here. This is also not a security question but a networking hardware question. – schroeder Jul 07 '16 at 15:13
  • I administrate my pfsense box by tapping into the network with openVPN. Don't expose the web interface to the public net, even if your firewall would allow it! – Potaito Jul 07 '16 at 16:11

2 Answers2

1

All Linux and BSD-based firewalls are just a management UI over their respective IS kernel's firewall feature. If you want remote access and scripting functions, you can use standard remote management and scripting tools of the base OS, namely, SSH and shell scripts. The firewall products that support web administration can also be remotely accessed by configuring HTTPS with client certificates authentication (or many of the other authentication methods supported by HTTP/TLS).

The Linux and BSD firewalls don't brag about remote administrations and shell scripts because most people already expect them as being part of the capability of the underlying OS. Proprietary firewalls, on the other hand, do not necessarily support these things because people don't necessarily expect their custom OS to support shell scripting or SSH.

techraf
  • 9,141
  • 11
  • 44
  • 62
Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
0

In short as long as the firewall has a port open to the outside world, you could run a web server and use it to configure the system/network. Technically, even an open SSH port could be used to manage your firewall.

Technically you can add Apache or nginx to any Linux distro, and therefore have the ability to have remote management. You would have to invest a lot of time, money, or both to harden it so hackers couldn't break in, but it is the realm of feasibility. You make a web GUI that modifies iptables,ipset, and etc. Linux supports a wide variety of other companies protocols, and even has pre-built libraries for them.

So a person/company doing this would simply, hahahaha NOT, have to build a GUI that configures the underlying libraries. SNMP and XML all have ready-to-go libraries.

Webmin has a built-in utility for modifying iptables, although it is a bit primitive.

cybernard
  • 518
  • 2
  • 10
  • @techraf I meant SSH, but SSL port would be a port using encryption. Today we would use TLS, but people often use the words inter-changeable. – cybernard Jul 07 '16 at 11:51
  • And what would be the function of an SSL or TLS port? – techraf Jul 07 '16 at 13:00
  • @techraf The function is to encrypt the connection to prevent both ease dropping, content modification. SSL is dead don't use it, instead use TLS v1.2 if possible. Electronic stores and banks use it to ensure private communication between them and there customers. – cybernard Jul 07 '16 at 21:10
  • Ok, so let's not use SSL. Then we have a TLS port. I can see [ports](https://en.wikipedia.org/wiki/Port_(computer_networking)) have assigned numbers. What is the number of "TLS port"? – techraf Jul 07 '16 at 21:45
  • @techraf It is not fix on any single port or protocol, any one who writes a program that uses openssl,libssl, or etc can be encrypted. Yes, I know they are named SSL, but they all support TLS. Well, you can implement it over many protocols, but by far the most common is port 443 or https inside your web browser. However, certain mail server like postfix have POPS and IMAPS running on different ports. IMAPS use 993. SMTP on port 25 can issue a STARTLS command and get encrypted. – cybernard Jul 07 '16 at 21:57
  • actually POPS and IMAPS are handled by dovecot. At least that is what I use. – cybernard Jul 07 '16 at 22:05
  • Now read all what you wrote and imagine you are talking to a layman. Do you think that using hyperboles like a "TLS port" to mean "any port that handles a specific protocol utilising TLS for encryption" helps explaining things, or does it only create more confusion? – techraf Jul 07 '16 at 22:10
  • "TLS port" is a term that you used, not me. Technically, any program that uses TLS when communicating on any port/protocol would have whatever port they used encrypted. – cybernard Jul 07 '16 at 22:25
  • First you wrote "***SSL port*** *would be a port using encryption*". Then in response to my question "What is an SSL port", you announced "*SSL is dead don't use it*". Can you, please, determine clearly what terms I am allowed to use when talking to you? Because I am confused. I should not use "SSL port", because it is dead, I should not use "TLS port", because you had not used it. – techraf Jul 07 '16 at 22:30
  • 1
    just use TLS and/or SSL by itself, because it not tied to a specific port. SSL is dead because enough weaknesses have been found to make it unsafe for secure communication. – cybernard Jul 07 '16 at 22:32