Firewall alternatives

Commercial firewalls have a disadvantage – that is, it is never known if the vendor has introduced (willingly or unwillingly) a backdoor or intentional security weakness to allow access for unknown parties.

It is generally a good rule of thumb to remember that if a vendor is known to have used a backdoor once, they will place a backdoor a second time – just trying to hide it better the next time.

That is why for smaller organizations it is a good idea to evaluate other options, such as PfSense or OpnSense – and Another vendor, who also offers commercial versions and support, is

It is only logical that for large organizations small, open source firewall will simply not be enough – or at least not as their main firewall. But for small environments the aforementioned are more than enough.

Port Knocking – NSA is using this for the past 10 years, are you?

The concept of port knocking is: the firewall presents all ports as closed, unless a specific port sequence is ‘knocked’ with a special packet.

For example, if you want to keep port 22 for remote administration purposes, but want to close it for everyone but a list of authorized people/devices, you could set the firewall up in such a way that if your authorized person sends a specially crafted packet to ports 1888, 25678 and 3456, their IP address is temporarily whitelisted and can open a connection to port 22.

NSA has been known to use port knocking for all remote access connections for many years – even for access to their internal systems, not just remote administration and / or VPN.

A good tutorial on setting up port knocking on open source operating systems can be found at DigitalOcean:

Ask your Firewall Appliance vendor if they support port knocking. If not, you can certainly place an open source screen in front of your appliance anyway, just for that purpose.