Walling your garden
Although Linux- and FreeBSD-based routers generally include a kernel-level stateful firewall, these are not always the best option for straight firewalling. For dedicated firewalling, other open-source projects such as IPCop and SmoothWall can come in extremely handy. IPCop, for instance, mates a well designed and implemented Web UI and a plug-in architecture that offer everything from real-time throughput graphs to automated updates, VPN termination, full logging, DHCP and DNS servers, and complete control over access lists. The footprint of this customized Linux distribution is so small that you can install it on a Compact Flash card, and the hardware requirements to run even a high-throughput firewall are surprisingly modest. As an example, an IPCop firewall booting from a 256MB CF card and running on a Dell GX110 (667Mhz Pentium III with 128MB RAM) has been the main firewall for my lab for nearly five years. In all that time, it’s performed flawlessly – exactly what you would want from a firewall.

SmoothWall, available in both commercial and open-source versions, offers a similar feature set to IPCop. M0n0wall is another open-source firewalling and routing alternative, based on FreeBSD and the stellar Packet Filter (pf) firewall. M0n0wall is designed to be booted from flash on commodity hardware, and boasts a completely PHP-based initial configuration – no command-line required. pfSense, also based on FreeBSD, is focused on non-embedded applications.

Any of these projects are more than capable of performing firewalling duties for a network of any size, assuming they’re running on suitable hardware. The configuration and management might be a little less straightforward than some commercial products (though in some cases, they can actually be simpler and easier), and support is generally found through discussion groups and FAQs rather than a phone call to the vendor. But these days, even most vendors try to push support requests through FAQs and support forums anyway, so it might be considered a tossup.

Finally, one of the more esoteric aspects of open-source routing is that it can be run within a virtual machine. Yep, even your routers can run on a hypervisor. While the only interfaces you can present to a VM router are Ethernet, that’s all you need to virtualize your VPN concentrator or to perform basic firewalling duties within a wholly virtualized infrastructure. At remote sites, if the Internet circuit handoff is Ethernet (as many are), then a virtualized open-source router can handle all the routing duties as well as VPN and firewalling tasks, all while sharing the same hardware that runs local server VMs. Essentially, you have a true office-in-a-box. All you need are the users.

When all is said and done, there’s little argument against using open-source routing and firewalling tools in most any network, as long as your admins are comfortable with the technology. We know that open-source routing and firewalling solutions can meet or exceed the performance and stability of their commercial counterparts; the proof has been in the proverbial pudding for many years now. Maybe it’s time to hand over yet another part of the infrastructure to the open-source rebels. After all, in for a penny, or in for a pound. It's good to have that choice.