In what cases would it be considered OK to use open-source firewalls to protect/secure/filter a company network?

There seems to be many open source firewall alternatives (pfSense, smoothwall, m0n0wall) for a small business, that will save the company money by lowering the initial cost.

  • 5,713
  • 27
  • 29
  • 366
  • 4
  • 10

8 Answers8


First your question sounds like "commercial softwares are better, but how bad is it if I go to open source". Anyway I don't think that there's any major issue for using open source firewall as long as :

1/ it matches your needs

2/ you update them on a regular basis

3/ you know what you're doing and how to configure it


It would be considered ok under any circumstances in which you had the expertise necessary to choose a solution that suits your needs and to implement it effectively. This is true of commercial firewall solutions as well. The difference is that if it has a compelling feature (such as Active Directory integration in MS ISA server) you may be inclined to pay for it... or not.

Open source firewalls, like many other applications, get easier to install, configure, and maintin all the time. Smoothwall is a good example, but easy to use ones have been around for years -- my first Linux experience was using Coyote Linux as an IPTables (actually IPChains initially) firewall frontend; it booted from a floppy disk, was easy to configure, and ran great on a 66 MHz Pentium.

  • 5,610
  • 5
  • 30
  • 52

I use a pair of ipcop boxen to secure a small business (~80 machines) network. They do an excellent job of firewalling, running a DMZ for our mail server (and a couple of other externally accessed machines) and VPN for external workers and site-to-site VPN. Not much linux expertise required to set-up/maintain as all is done through the excellent web interface (which also has all your security logs and traffic graphs etc.)



When I setup my company I opted to buy a small box and download Smoothwall. It worked very well protecting our first webserver for nearly three years (until a hard disk failure required the box to be rebuilt).

We use two commercial firewalls now, partly because the prices are so much lower, the hardware is physically smaller than a 1/2 rack server, uses less power, we know their capacity and the support is available from the supplier.

It basically comes down to a business decision. What's the budget, what features do you need, what's your expertise/skill base?

  • 783
  • 1
  • 13
  • 21

in all the cases the os firewalls (i suspect you mean a packet filter) do their job: filtering packets.

side note: os software doesnt mean it can't be commercial (including commercial support)

  • 531
  • 2
  • 11

The question should not be "when is it ok" but "when is it relevant". The main areas distinguishing open source firewalls from "commercial" ones are :
- Support. Do you need to be able to call someone in case of trouble to help you or to fix potential bugs ? There is some support offered for open source software but is still not widespread especially for open source firewalls
- Integration. Are you going to set it up all by yourself ? More precisely to you want to size the hardware yourself or to have to install and configure every underlying services needed before starting to really configure the firewall ? Are you even skilled enough to do all this ? Some fully integrated open source solutions can help you but you would still have to buy the hardware and size it according to your needs (it also usually means not specialized hardware and getting the most network performance from a PC architecture is not as easy as it may look like).
- Budget. Open source software is mostly free (as in beer). It needs not be but it usually the case. However what you save in purchase price you may have to put on manpower.
- Performance. Like it or not, if you have big performance requirements, open source firewalls are still far behind proprietary appliances. As a very extreme example, take a look at a Juniper SRX. You're never going to get the same amount of performance with pfSense on a Dell. However if your requirements are smaller (as a very dumb and conservative rule of thumb, under 1Gbps of sustained traffic to be filtered, without tricky stuff like VPN), open source is the way to go.

Hope it helps.


It would depend on your company's approach to open source.

The firewall in OpenBSD and in Linux are first-class. Support is better, and patches, upgrades are free. OpenBSD, for example, has had only 2 remote holes in their default install. I doubt any commercial OS can better that.

But Cisco also make good firewalls.

(If money was no object, and the decision was up to me, I'd still go with OpenBSD.)

But if your company runs only Windows servers and open source makes your managers nervous, then Cisco makes a good but expensive solution.


If you don't know too much about it, and don't want to spend months getting it right - I'd start with smoothwall.

  • 945
  • 1
  • 6
  • 15