DFWFW alternatives

Looking for an alternative tool to replace DFWFW? During the review of DFWFW we looked at other open source tools. Based on their category, tags, and text, these are the ones that have the best match.

Top 3

  1. Assimilator (firewall orchestration tool)
  2. FireHOL (firewall config creator and manager)
  3. Anchore Engine (container analysis and inspection)

These tools are ranked as the best alternatives to DFWFW.

Alternatives (by score)

60

Assimilator

Introduction

A tool like Assimilator can be of great help to 'normalize' all firewall rules into one place. Especially when a company uses different firewalls, each with their own syntax and specifics. Assimilator will then simplify the way firewall rules are created and managed.

Project details

Assimilator is written in Python.

Strengths and weaknesses

  • + The source code of this software is available

    Typical usage

    • Network traffic filtering

    Assimilator review

    74

    FireHOL

    Introduction

    FireHOL is promoted as an iptables stateful packet filtering firewall for humans. It also comes with FireQOS, which a bandwidth shaper based on tc.

    Project details

    FireHOL is written in shell script.

    Strengths and weaknesses

    • + More than 500 GitHub stars
    • + The source code of this software is available

      Typical usage

      • Firewall management
      • Network traffic filtering

      FireHOL review

      64

      Anchore Engine

      Introduction

      Anchore is a tool to help with discovering, analyzing and certifying container images. These images can be stored both on-premises or in the cloud. The tooling is mainly focused on developer so that perform analysis on their container images. Typical actions include running queries, creating reports, or set up policies for a continuous integration and deployment pipeline.

      Project details

      Anchore Engine is written in Python.

      Strengths and weaknesses

      • + More than 10 contributors
      • + Commercial support available
      • + More than 1000 GitHub stars
      • + The source code of this software is available

        Typical usage

        • System hardening

        Anchore Engine review

        60

        Dagda

        Introduction

        The main reasons to use Dagda is the detection of vulnerable or malicious components within your containerized environment.

        Project details

        Dagda is written in Python.

        Strengths and weaknesses

        • + The source code of this software is available

          Typical usage

          • Malware detection
          • Malware scanning
          • Vulnerability management
          • Vulnerability scanning

          Dagda review

          60

          Docker Bench (by Aqua)

          Introduction

          Docker Bench is one of the tools that can be used to perform a security analysis on Docker and its configuration. It can find common configuration flaws that may impose risks to other containers or the host itself.

          Project details

          Docker Bench (by Aqua) is written in Golang.

          Strengths and weaknesses

          • + The source code of this software is available
          • - No releases on GitHub available

          Typical usage

          • Configuration audit

          Docker Bench (by Aqua) review

          68

          Docker Bench for Security

          Introduction

          Docker Bench for Security is a small security scanner to perform several tests that are part of the Docker CIS benchmark.

          Project details

          Docker Bench for Security is written in shell script.

          Strengths and weaknesses

          • + More than 25 contributors
          • + Screen output is colored
          • + More than 3000 GitHub stars
          • + The source code of this software is available

            Typical usage

            • Application security
            • Configuration audit
            • Security assessment

            Docker Bench for Security review

            64

            Dockerscan

            Introduction

            Dockerscan is a Docker toolkit for security analysis which includes attacking tools. It is more focused on side of the offensive than defensive.

            Project details

            Dockerscan is written in Python.

            Strengths and weaknesses

            • + More than 500 GitHub stars
            • + The source code of this software is available

              Typical usage

              • Information gathering
              • Security assessment
              • Vulnerability scanning

              Dockerscan review

              100

              Lynis

              Introduction

              Lynis is an open-source security auditing tool that is available since 2007 and created by Michael Boelen. Its primary goal is to evaluate the security defenses of systems running Linux or other flavors of Unix. It provides suggestions to install, configure, or correct any security measures.

              Project details

              Lynis is written in shell script.

              Strengths and weaknesses

              • + The source code is easy to read and understand
              • + More than 100 contributors
              • + More than 8000 GitHub stars
              • + Tool is easy to use
              • + Available as package (simplified installation)
              • + Commercial support available
              • + Used language is shell script
              • + Very low number of dependencies
              • + Project is mature (10+ years)
              • + The source code of this software is available

                Typical usage

                • IT audit
                • Penetration testing
                • Security assessment
                • System hardening
                • Vulnerability scanning

                Lynis review

                60

                bane

                Introduction

                Bane is a tool to create AppArmor profiles. This helps to secure applications by setting restrictions on resources they access or modify. A strict policy may help to prevent privilege escalation attacks.

                Project details

                bane is written in Golang.

                Strengths and weaknesses

                • + More than 500 GitHub stars
                • + The source code of this software is available

                  Typical usage

                  • Application security
                  • Security monitoring
                  • System hardening

                  bane review

                  70

                  subuser

                  Introduction

                  A tool like subuser can useful to test software from untrusted sources.

                  Project details

                  subuser is written in Python.

                  Strengths and weaknesses

                  • + More than 10 contributors
                  • + More than 500 GitHub stars
                  • + The source code of this software is available

                    Typical usage

                    • Software testing

                    subuser review

                    56

                    0trace.py

                    Introduction

                    This security tool enables the user to perform hop enumeration (similar to traceroute). Instead of sending actual packets, it uses an established TCP connection.

                    Project details

                    0trace.py is written in Python.

                    Strengths and weaknesses

                    • + Project is mature (10+ years)
                    • - Unknown project license

                    Typical usage

                    • Bypassing firewall rules
                    • Bypassing security measures
                    • Reconnaissance

                    0trace.py review

                    63

                    360-FAAR

                    Introduction

                    360-FAAR is a tool written in Perl to parse policies and logs from firewalls. It can compare firewall policies and translate between a policy and log data. Supported firewalls include Checkpoint FW1, Cisco ASA, and Netscreen ScreenOS.

                    Project details

                    360-FAAR is written in Perl.

                    Strengths and weaknesses

                    • + Project is mature (5+ years)
                    • + The source code of this software is available

                      Typical usage

                      • Firewall auditing
                      • Log analysis
                      • Security assessment
                      • Security reviews

                      360-FAAR review

                      60

                      Chiron

                      Introduction

                      Chiron is a security assessment framework for IPv6. It provides several modules including an IPv6 scanner, IPv6 Local Link, IPv4-to-IPv6 proxy, IPv6 attack module, and IPv6 proxy. These modules help to perform an assessment, like a penetration test.

                      The tool uses IPv6 extension headers to create a headers chain. This may allow evading security devices like IDS, IPS, and firewalls. Due to the flexibility of the framework, the tool can also be used to perform fuzzing of the IPv6 stack of a device.

                      Project details

                      Chiron is written in Python.

                      Strengths and weaknesses

                      • + The source code of this software is available
                      • - No releases on GitHub available

                      Typical usage

                      • Network analysis
                      • Network scanning
                      • Network security monitoring

                      Chiron review

                      81

                      Douane

                      Introduction

                      Douane is an application firewall that blocks unknown or unwanted traffic. It provides a more fine-grained filtering as it looks at the combination of application and used network ports. This is useful when allowing common browse traffic on port 80 and 443. Instead of all applications being able to use this port, only the ones that are granted access will be able to do so. When a new connection is not trusted yet, Douane will ask to allow or deny the traffic stream.

                      Project details

                      Douane is written in C, C++, GTK+.

                      Strengths and weaknesses

                      • + The source code of this software is available

                        Typical usage

                        • Network traffic filtering

                        Douane review

                        56

                        FireAway

                        Introduction

                        FireAway is a security tool to test the security of a firewall by trying to bypass its rules. It will use different methods to hide data or avoid detection by the firewall itself. This tool can be used for both defensive as offensive security.

                        Project details

                        FireAway is written in Python.

                        Strengths and weaknesses

                        • + The source code of this software is available
                        • - No releases on GitHub available
                        • - Unknown project license

                        Typical usage

                        • Bypassing firewall rules
                        • Firewall auditing
                        • Network traffic filtering
                        • Penetration testing

                        FireAway review

                        63

                        Knock

                        Introduction

                        Knock implements the principle of port knocking. It does so by using libpcap to sniff network traffic on interfaces and then use that to see if it matches a predefined sequence of steps.

                        Project details

                        Knock is written in C.

                        Strengths and weaknesses

                        • + Project is mature (10+ years)
                        • - No updates for a while

                        Knock review

                        56

                        LPFW (LeoPard FloWer)

                        Introduction

                        LPFW is the abbreviation for LeoPard FloWer and is an application firewall for Linux.

                        Project details

                        LPFW is written in C++, Python.

                        Strengths and weaknesses

                        • + The source code of this software is available
                        • - Unknown project license

                        Typical usage

                        • Network traffic filtering

                        LPFW review

                        96

                        OpenSnitch

                        Introduction

                        OpenSnitch is a tool based on Little Snitch, a macOS application level firewall. All outgoing connections are monitored and the user is alerted when a new outgoing connection occurs. This allows the user to detect and block any unwanted connections.

                        Project details

                        OpenSnitch is written in Golang.

                        Strengths and weaknesses

                        • + More than 3000 GitHub stars
                        • + The source code of this software is available
                        • - No releases on GitHub available

                        Typical usage

                        • Network traffic filtering

                        OpenSnitch review

                        67

                        iptables

                        Introduction

                        The iptables tool is the userspace command line program part of the netfilter project. Since Linux 2.4 it is the standard packet filtering engine. Among standard traffic filtering, it can be used for Network Address Translation (NAT).

                        Project details

                        iptables is written in C.

                        Strengths and weaknesses

                        • + The source code of this software is available
                        • + Well-known tool

                          Typical usage

                          • Network traffic filtering

                          iptables review

                          67

                          nftables

                          Introduction

                          nftables is supposed to replace netfilter as the primary interface of network filtering. It is available since Linux kernel 3.13. Both netfilter and nftables have been co-authored by Patrick McHardy.

                          Project details

                          nftables is written in C.

                          Strengths and weaknesses

                          • + The source code of this software is available

                            Typical usage

                            • Network traffic filtering

                            nftables review

                            60

                            opensvp

                            Introduction

                            Tools like opensvp can be used to test the strength of a configuration from the outside. It makes it a good tool for penetration testing and security assessments. While people may feel safe to have a firewall in place, it might be unknowingly vulnerable to several attacks on protocol level. This tool helps with finding these weaknesses.

                            Project details

                            opensvp is written in Python.

                            Strengths and weaknesses

                            • + The source code of this software is available

                              Typical usage

                              • Application testing
                              • Defense testing
                              • Penetration testing
                              • Security assessment

                              opensvp review

                              Some relevant tool missing as an alternative to DFWFW? Please contact us with your suggestion.