LPFW alternatives

Looking for a better tool, or simply want to learn about alternatives? There is typically more than one option.

Alternatives (by tag)

78

Alternative: Douane

Douane is an application firewall that interacts with the user to allow or deny new network connections.

Project details

Douane is written in C, C++, GTK+.

Strengths

  • + The source code of this software is available

Typical usage

  • network traffic filtering

Douane project page

64

Alternative: OpenSnitch

OpenSnitch is a Linux port of the popular macOS Little Snitch application firewall

OpenSnitch is a tool based on Little Snitch, a macOS application level firewall. All outgoing connections are monitored and the user is alerted when a new outgoing connection occurs. This allows the user to detect and block any unwanted connections.

The OpenSnitch tool relies on NFQUEUE, which is an extension for iptables. With this extension software running in userland can intercept IP packets and allow/drop them.

Project details

OpenSnitch is written in Python.

Strengths

  • + More than 2000 GitHub stars
  • + The source code of this software is available

Typical usage

  • network traffic filtering

OpenSnitch project page

59

Alternative: TuxGuardian

59

Alternative: 0trace.py

The 0trace.py utility is a rewrite of 0trace (by another author) to perform reconnaissance and bypass network firewalls.

This security tool enables the user to perform hop enumeration (similar to traceroute). Instead of sending actual packets, it uses an established TCP connection.

67

Alternative: 360-FAAR

Supported firewall configurations

  • Checkpoint FW1
  • Cisco ASA
  • Netscreen ScreenOS

85

Alternative: Assimilator

Assimilator is a firewall orchestration tool. It allows configuration and automation of firewall rules by proxy requests to different types of firewalls.

Project details

Assimilator is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • network traffic filtering

Assimilator project page

67

Alternative: Knock

A port knocking implementation to make network ports to become stealth or trigger events based on a port knocking sequence.

Knock implements the principle of port knocking. It does so by using libpcap to sniff network traffic on interfaces and then use that to see if it matches a predefined sequence of steps.

Project details

Knock is written in C.

Strengths

  • + Project is mature (10+ years)

Weaknesses

  • - No updates for a while

Knock project page

81

Alternative: nftables

nftables is a subsystem of the Linux kernel to filter and classify network traffic and supposed to replace netfilter.

nftables is supposed to replace netfilter as the primary interface of network filtering. It is available since Linux kernel 3.13. Both netfilter and nftables have been co-authored by Patrick McHardy.

Project details

nftables is written in C.

Strengths

  • + The source code of this software is available

Typical usage

  • network traffic filtering

nftables project page