Nethserver Firewall vs PFSense

I’m a big fan of PFSense because of the ease of use and flexibility. I use it a lot but I would like to hear if UTM Nethsecurity is up to the challenge to be used in a SME setup?

Anyone who can tell me if the community Basic firewall is what is used in the UTM SME version?

Hi @malvank

If I’m not wrong NethServer firewall is based on Shorewall.

1 Like

if i’m not wrong NethServer IPS is based on Snort like pfSense :wink:

I did’nt hang on the CLI version of snort into Neth as suggest the expert mode
but to compare with pfsense the webui still pretty basic.

exemple if you want to block a country, you need to enter one by one all these CIDR
again i’m pretty new with Neth and I’ll take a look soon into the CLI side.

for further reference :

  • pfsense is a dedicate firewall distribution
  • nethserver is a versatile server distribution with some firewall functions

One of NethServer cornerstones is the simple web interface. We try to stick to this guideline when working on an interface.
Expert mode is made for the expert: if you know snort, you’d prefer to use the cli. But we’d like to have a contrib for an advanced snort setup. We could also add some options to the panel, as always, if there’s demand. I’d like to move to suricata.

We could probably offer all features of pfsense, but we’ll have different interfaces, to hide complexity.
We use shorewall under the hood, we try to support its features.
The UTM strategy also uses squid, squidguard, squidclamav, clamav, p3scan, postfix, amavisd and spamassassin.

For snort and/or suricata, to keep it simple as the KISS principle
it might be interesting to add “categories” and “update rules”

Rules are updated daily. I looked for an interface to select categories, but found nothing.

@JOduMonT i’m refering to the UTM Nethsercurity version sorry for not being clear anough. I’m trying to figure out what features and functions differs from the community version and compared to a full blown firewall like PFsense.

This is very much appreciated

Is this command line or also a section in the Dashboard?

Whats i like with PFsense is how easy it is to reuse information and create rules when logging or define exclusions etc. Shorewall is as much as I have tested very limited and manual where everything has to defined manually.

Compared to the community version is UTM Nethsecurity version the same when it comes to Shorewall configuration?

I’ll give you a thumb up to that because snort is a product of CISCO now. Wold love to see a comparison between snort and Suricata.

1 Like

Yeah, they are the same; moreover they come from the same RPMs, too. As usual, in NethSecurity there are additional paid services. Please, refer to the community or enterprise comparison table.

Ok, I just needed to check if the module for firewall options were different or the same as the community.

Hi folks,

I’m also a big fan of pfSense, joining your community :grin:

I don’t really know Nethserver yet except features and quick look at interface (though demo link).
From my perspective, there is no real competition between pfSense and Nethserver as they do not target same scope.

pfSense intend to act as firewall even if some packages help to extend this scope with HTTP proxy, anti-virus, and stuff like this. One can’t look at this as UTM or all-in-one server. Account management is very basic and doesn’t aim at describing company users.

In term of infrastructure design, if your need is to deploy FW handling DMZ, VLAN, VPN accesses etc… this is most of the time because these networks host more than clients but also servers and services. With such infrastructure already in place, would UTM fit?

I might be wrong but the way I currently perceive Nethserver is to act as the unique piece of infrastructure on your network, bringing almost all services in one single box. For sure it has to embed firewalling features but also additional services.
To me, the real question, not related to pfSense or Nethserver, is to decide where and where UTM fits or not. Where is the limit of such design? What are pros & cons that would lead to “all-in-one” deployment?

I already have my own opinion, not based on Nethserver yet (later for sure) but on Zentyal which is quite similar to Nethserver, and definitely I would not compare one-to-one pure FW with all-in-one.

To be honest, I’m not a big fan of packages installed on pfSense. It makes sense some times but most of the time, if you feel you should deploy lot of packages on this firewall, then you’re ready for the all-in-one design :slight_smile:


It was the discussion pushed by michael tremer (lead developer of ip fire) sometime ago. Some developers added several ‘cool’ features which are not related to the goal of a firewall (I speak about samba, mail, web…).

Do one thing, but do it well…something that the systemd developers have lost.

I see your reasoning that an UTM/Firewall/Gateway ultimately should be on a dedicated device.
But I think NethServer is flexible enough to deploy for instance the Firewall section on a dedicated device and ‘the rest’ on other hardware.
The reason this all often resides on one box is a decision to be cost effective. A lot of small(er) companies don’t have the money (maybe even the need in a sense of resources) to have multiple devices. And these small(er) companies tend to be the audience NethServer is targeting.

Maybe it would be a good idea to have a few scenario’s and how to implement NethServer. For example:

  • Home/SoHo scenario 1 - 10 users
  • Small company 5 - 25 users max
  • Medium company 25 - 100 users
  • Medium Enterprise 100 - 1000 users

The Home/SoHo is typically installed on a single small server.
The Small company could have a single server with multiple VM’s with at least Firewall/UTM/Gateway acting as a separate VM.
Medium company with 2 or more dedicated devices.
Medium Enterprise with 2 or more dedicated devices per service, having HA capabilities or failover etc…

This all is not based on any figures. It would be great if test environments could be created so we do get figures for a reasonable requirements matrix with numbers of loads etc…


We have improved this scenario with NethServer 7 and the centralized account management (so-called “multi-site”) and you can have different installations (firewall, mailserver, etc…) on different hardware with the same account management.

1 Like

Hi Rob :slight_smile:

Indeed that’s the point! I definitely don’t know enough of Nethserver yet to comment on this, I mean at features level or capability to split features on multiple servers if design deserves it. No doubt it works however :smile:

You’re point about scenario’s is exactly what I feel to be the correct approach: infrastructure and solution complexity (which is associated with completion of features, redundancy or whatever one may need) have to be aligned.
Solution for home/soho may target true all-in-one UTM. Administration easiness, hardware cost, performance requirements etc… are different from what SMB may need and even more with medium to large companies.

If this can be achieved using same platform “template” (i.e. NethServer), then this is perfect because it allows smooth upgrade path from all-in-one UTM to more complex but also more powerful/secure/redundant (you name it) design relying on same solution. Wow :astonished:

I need to play with this new toy before commenting further :mask:

One pint I’d like to add: IT skills are quite often (not always, I know) linked with company size. Which means that interface needs to “scale”. By default hidden complexity for Soho/SMB and capability to expose large (whole ?) set of parameters for advanced admins or larger deployment. If I understand well, NethServer can do this too…

1 Like

As a small business (1-5 users) running Nethserver on our Lan, I am actually in the process of setting up a dedicated perimeter firewall to protect my network. LAN and a DMZ with dedicated web server and separate database server. The choice so far for the perimeter firewall has come down to IP-fire and pfSense, no decision as yet, so the comments made by Robb to me make a lot of sense.

The most valuable asset any business large or small is the data, and this should be the number one priority where security is concerned. Almost every day now some large companies are being hacked and their data being sold or held to ransom. So firewalls and the protection of that data now becomes a priority. As good or as basic as the Nethserver firewall is I am still going to install a perimeter firewall as my first defence. So I don’t find the argument of being cost effective to have everything in one box a good one. Protection of Data is paramount, so by having the firewall on a separate machine makes a lot of sense (to me at least). Just my thoughts…

Sure the side effect of all-in-one UTM is that is this box is compromised, then potentially everything you host on it is compromised. I do share.
Once you understand this, depending on what you host and value you put on it, decision is your to go for UTM or to split services because you do understand that the extra cost (and when I say extra cost, I don’t mean hardware or licence, I rather mean extra complexity thus need to have this managed by someone skilled enough) is worth your assets value.

I’m not a big fan of all-in-one neither even at home with few users (but lot of data). It looks like soho but it’s more like datacenter :sweat_smile:
However, if I had to deploy something in SoHo with no real local IT skill, then easiness of all-in-one brings some obvious value compared to potential complexity of dedicated firewall.
There is nothing worst that thinking your safe because behind your firewall just because you don’t know this wall is not protecting you due to poor configuration.

That’s where the balance is, IMHO.

(of course, you may think about providing remote admin service but this is another story isn’t it?)

A scenario I implemented on a primary school is having 1 server and installed Ubuntu + Qemu-KVM. Then I created 2 VM’s: 1 for pfSense.
I used VT-d to assign eth0 dedicated to pfSense. eth1 is assigned to LAN.
This way the host OS is only accessible from the LAN side. If you need to do admin tasks, there is a VPN option on pfSense.
The 2nd VM is running Karoshi server (this is a school and they already used Moodle, Xerte etc, so Karoshi server was a logical choice here)
The 2nd VM is doing all the other tasks like DNS, DHCP, File & Printer sharing, hosting webapplications etc…
This way, you still have only 1 physical device, but also split your UTM/Firewall from your other device.

I can imagine that something similar can be done using NethServer.

@Christian: looks like we are taking off where we stopped 3 years ago… :slight_smile: good to have you here!


As we said, you can use NethServer as an all-in-one UTM but also just like a firewall (pfsense) without extra modules, installing another instance in your LAN with service like AD, nextcloud, etc…
From this point of view, I see NethServer more powerful not less.

Why? Did you try NethServer too? Just installing firewall module.

[quote=“alefattorini, post:19, topic:917, full:true”]
As we said, you can use NethServer as an all-in-one UTM but also just like a firewall (pfsense) without extra modules, installing another instance in your LAN with service like AD, nextcloud, etc…
From this point of view, I see NethServer more powerful not less. [/quote]

Sure. I see your point. It makes sense but then it’s a matter of comparison, apple to apple, between pfSense as a firewall and Nethserver as a firewall. And I’ve not idea about this for the time being. I’ll be able to compare once I will reinstall my NS7 platform, still locked for the time being.

1 Like