Can I really use a Linux server in place of a commercial firewall?
Now that is a tough question. After all, I do not want to get too personal! OK, I know, that is not what you meant! Let's try again ...
Claims made on the home page of the NetFilter project state the following:
"The netfilter/iptables project is the Linux 2.4.x / 2.5.x firewalling subsystem.It delivers you the functionality of packet filtering (stateless or stateful), all different kinds of NAT (Network Address Translation) and packet mangling.
"If you are running a recent Linux system (Kernel 2.4.x or above) on a router, you can use netfilter/iptables for all kinds of firewalling, NAT or other advanced packet processing.
"The major part of netfilter/iptables (doing all the hard work) is included in the standard Linux Kernel. In order to do your runtime configuration of the firewalling subsystem, you will need the iptables userspace command, which can be downloaded from here. Note that in most cases, the vendor of your Linux distribution (Debian, RedHat, SuSE, Conectiva, Mandrake, etc.) will provide you with a pre-built version of this tool.
"What can I do with netfilter/iptables ?
"You can build internet firewalls based on stateless and stateful packet filtering use NAT and masquerading for sharing internet access where you don't have enough addresses use NAT for implementing transparent proxies aid the tc+iproute2 system used to build sophisticated QoS routers do further packet manipulation (mangling) like altering the TOS field of the IP header."
So, the short answer is YES! There is a BUT though: You need to know what you are doing, and you need to put in the effort needed to monitor your firewall and to keep it up to date. If that is not for you, then the purchase of a commercially-supported firewall solution might well be a better proposition for your site.
This was first published in February 2003