Comparison of firewalls

This article is about comparisons of notable firewalls. For the primary article on firewalls, see Firewall (computing).

This is a comparison of firewalls.

Software firewalls

Firewall License Cost and usage limits OS
Avast Internet Security Proprietary Paid Windows
Comodo Internet Security Proprietary Trialware[a] Windows
G Data Internet Security Proprietary Paid[1] Windows
Intego VirusBarrier Proprietary Paid macOS on an Xserve
IPFilter GPLv2 Free UNIX-like
ipfirewall BSD Free *BSD
Kaspersky Internet Security Proprietary Trialware Windows
Lavasoft Personal Firewall Proprietary Paid Windows
Microsoft Forefront Threat
Management Gateway 		Proprietary Discontinued Windows
Netfilter GPL Free Linux
NetLimiter Proprietary Paid Windows
nftables GPL Free Linux
Norton 360 Proprietary Paid Windows
NPF BSD Free NetBSD
PF BSD Free *BSD
Online Armor Personal Firewall Proprietary Discontinued Windows
Outpost Firewall Pro Proprietary Discontinued Windows
PC Tools Firewall Plus Proprietary Discontinued Windows
PeerBlock GPL Free Windows
Shorewall GPL Free Linux
Sygate Personal Firewall Proprietary Discontinued Windows
Windows Firewall Proprietary Included with Windows
XP SP2 and later 		Windows
ZoneAlarm Proprietary Freemium Windows
Notes
  1. ^ It was freemium until 2019

Appliance firewalls

Firewall License Cost OS
Clavister Proprietary Included on all Clavister
NGFWs 		Proprietary operating system cOS Core
Check Point Proprietary Included on Check Point
security gateways 		Proprietary operating system Check Point IPSO
and Gaia (Linux-based)
FortiGate Proprietary Included on all Fortigate
devices 		Proprietary, FortiOS,

Based on the Linux kernel

Palo Alto Networks Proprietary Included on Palo Alto
Networks firewalls 		Proprietary, PAN-OS,

Based on the Linux kernel

Sophos Proprietary Included on Sophos UTM Linux-based appliance
Cisco Firepower Proprietary Included on newer CISCO
ASA devices which support
the Firepower services
module or Firepower
Threat Defense 		Proprietary operating system.

Based on the Linux kernel.

Cisco PIX Proprietary Included on all CISCO
PIX devices 		Proprietary operating system
Juniper SSG Proprietary Included on Netscreen
security gateways 		Proprietary operating system ScreenOS
Juniper SRX Proprietary Included on SRX
security gateways 		Proprietary operating system Junos
SonicWall Proprietary Included on Dell appliance Proprietary operating system SonicOS

Based on the Linux kernel

Barracuda Firewall Proprietary Included Firewall Next Generation appliance Windows-based appliance
embedded firewall distribution
Cyberoam Proprietary Included Firewall Sophos appliance Windows-based appliance
embedded firewall distribution
D-Link Proprietary Included Firewall DFL Windows-based appliance
embedded firewall distribution
Endian Firewall Proprietary Free / Paid Linux-based appliance
Forcepoint NGFW Proprietary Included on all Forcepoint NGFW devices Proprietary operating system
OPNsense Simplified BSD / FreeBSD License Free / Paid FreeBSD-based appliance
firewall distribution
pfSense Apache 2.0 / Proprietary (Plus) Free / Paid FreeBSD-based appliance
firewall distribution
Zeroshell GPL Free / Paid Linux/NanoBSD-based appliance
firewall distribution
SmoothWall GPL Free / Paid Linux-based appliance
embedded firewall distribution
IPFire GPL Free (Donations welcomed) Linux-based appliance
embedded firewall distribution
WatchGuard Proprietary Included on all Firebox devices Proprietary, Fireware OS,

Based on the Linux kernel

WinGate Proprietary Free / Paid Windows-based appliance
embedded firewall distribution

Appliance-UTM filtering features comparison

Can Target: Changing default policy to accept/reject (by issuing a single rule) IP destination address(es) IP source address(es) TCP/UDP destination port(s) TCP/UDP source port(s) Ethernet MAC destination address Ethernet MAC source address Inbound firewall (ingress) Outbound firewall (egress)
Trend Micro Internet Security Yes Yes Yes Yes Yes No No Yes Yes
Vyatta Yes Yes Yes Yes Yes Yes No No Yes
Windows XP Firewall No No Yes Partial[a] No No No Yes No
Windows Vista Firewall Yes Yes Yes Yes Yes No No Yes Yes
Windows 7 /
Windows 2008 R2
Firewall 		Yes Yes Yes Yes No No Yes Yes Yes
WinGate Yes Yes Yes Yes Yes No No No Yes
Zeroshell Yes Yes Yes Yes Yes Yes Yes Yes Yes
Zorp Yes Yes Yes Yes Yes Yes No No No
pfSense Yes Yes Yes Yes Yes No No Yes Yes
IPFire Yes Yes Yes Yes Yes Yes Yes Yes Yes
Notes
  1. ^ can target only single destination TCP/UDP port per rule, not port ranges.

Advanced features comparison

Can: work at OSI Layer 4 (stateful firewall) work at OSI Layer 7 (application inspection) Change TTL? (Transparent to traceroute) Configure REJECT-with answer DMZ (de-militarized zone) Filter according to time of day (quota) Redirect TCP/UDP ports (port forwarding) Redirect IP addresses (forwarding) Filter according to User Authorization Traffic rate-limit / QoS Tarpit Log
Sidewinder Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
WinGate Yes Yes Yes No Yes Yes Yes No Yes Yes No Yes
Zeroshell Yes Yes No Yes Yes Yes Yes Yes Yes Yes No Yes
OPNsense Yes Yes No Yes Yes Yes Yes Yes Yes Yes No Yes
pfSense Yes Yes No Yes Yes Yes Yes Yes Yes Yes No Yes
IPFire Yes Yes ? No Yes Yes Yes Yes ? Yes No Yes
Features: Configuration: GUI, text or both modes? Remote Access: Web (HTTP), Telnet, SSH, RDP, Serial COM RS232, ... Change rules without requiring restart? Ability to centrally manage all firewalls together
WinGate GUI Proprietary user interface Yes
ClearOS both RS232, SSH, WebConfig, Yes Yes with ClearDNS
Zeroshell GUI SSH, Web (HTTPS), RS232 Yes No
OPNsense both SSH, Web (HTTP/HTTPS), RS232 Yes No
pfSense both SSH, Web (HTTP/HTTPS), RS232 Yes No
IPFire both SSH, Web (HTTPS), RS232 Yes No

Miscellany comparison

Features: Modularity: supports third-party modules to extend functionality? IPS : Intrusion prevention system Open-Source License? supports IPv6? Class: Home / Professional Operating Systems on which it runs?
Vyatta Yes Yes Yes Yes Professional Vyatta OS (built on Debian)
WinGate Yes[a] ? No No Professional Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 2008. 32bit and 64bit.
OPNsense Yes Yes, with Snort and Suricata (modules) Yes Yes Both FreeBSD/NanoBSD-based appliance
pfSense Yes Yes, with Snort and Suricata (modules) Yes Yes Both FreeBSD/NanoBSD-based appliance
IPFire Yes Yes, with Suricata Yes Yes (manual setup needed) Both Linux (based on Linux From Scratch)
Notes
  1. ^ WinGate 6.x supports 3rd party modules for data scanning only (e.g. antivirus and content filtering).

Non-Firewall features comparison

These are not strictly firewall features, but are sometimes bundled with firewall software or appliance. Features are also marked "yes" if an external module can be installed that meets the criteria.

Can: NAT[a] NAT64, NPTv6 Intrusion Detection System (IDS)[b] Virtual Private Network (VPN)[c] Antivirus (AV) Packet capture Profile selection[d]
Vyatta Yes (three NAT types) ? Yes (integrated Snort) Yes (IPsec and OpenVPN) Yes (with clamav, Sophos Antivirus (optional)) Yes (with wireshark or tcpdump) ?
WinGate Yes ? Yes (with NetPatrol) Yes (proprietary) Yes (Kaspersky Labs) Yes (filtered capturing to pcap format) No
OPNsense Yes Yes (NPt) Yes (integrated Suricata) Yes (WireGuard, OpenVPN, IPsec, L2TP, IKEv2, Tinc, PPTP) Yes (with squid and clamav) Yes (tcpdump) No
pfSense Yes Yes (NPt) Yes (with Snort) Yes (WireGuard, OpenVPN, IPsec, L2TP, IKEv2, Tinc, PPTP) Yes (with squid and clamav) Yes (tcpdump) No
IPFire Yes ? Yes (with Suricata) Yes (OpenVPN, IPsec, IKEv2) Yes (with squid and clamav) Yes (tcpdump) No
Notes
  1. ^ static, dynamic w/o ports, PAT
  2. ^ monitors for malicious activity or policy violations
  3. ^ types include: PPTP, L2TP, MPLS, IPsec, SSL
  4. ^ store sets of firewall settings to switch between

See also

References

  1. ^ AG, G. DATA CyberDefense (2022-12-23). "Internet Security – strong online protection for all of your devices". gdata-software.com. Retrieved 2023-07-10.