By free, I mean Linux-based firewalls. You should also check out Open BSD, a distribution based in Canada, and chock full of cryptography and other security enhancements. It also has a stateful firewall, as opposed to Linux' (<2.4) stateless one.
I stick with Linux since I use it on all my other boxes, and I've not (yet) run into a situation that it could not handle. As well, the 2.4 kernel has stolen the BSD-style firewalling, so feature wise, they are equivalent.
Masquerading is a form of Network Address Translation (NAT). Every outgoing packet has it's source address and port changed to be an address and port on the firewall. This mapping is stored by the kernel, and is used to un-masquerade any response packet. These kernel entries time out with disuse.
Some protocols (like FTP) make things more complicated by using other ports for return traffic. To be properly masqueraded, the masquerade code must know about this and be able to deal with it. There are modules written for ftp, irc, and a number of other protocols.
Masquerading does not, in itself, provide much security. At best it is a form of information hiding. If someone can get a packet to your host, destined for an internal address, your host will forward it.
You need to, at minimum, block all traffic destined for your internal net, and drop all source routed packets.
Configure the kernel to support firewalling. For the 2.2 kernels (some of these are added by the ip_masq_pptp patch):
CONFIG_FIREWALL=y CONFIG_FILTER=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_FIREWALL=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_TRANSPARENT_PROXY=y CONFIG_IP_MASQUERADE=y CONFIG_IP_MASQUERADE_ICMP=y CONFIG_IP_MASQUERADE_MOD=y CONFIG_IP_MASQUERADE_IPAUTOFW=m CONFIG_IP_MASQUERADE_IPPORTFW=m CONFIG_IP_MASQUERADE_PPTP=m DEBUG_IP_MASQUERADE_PPTP=y DEBUG_IP_MASQUERADE_PPTP_VERBOSE=y CONFIG_IP_MASQUERADE_IPSEC=m CONFIG_IP_MASQUERADE_IPSEC_EXPIRE=30 DEBUG_IP_MASQUERADE_IPSEC=y DEBUG_IP_MASQUERADE_IPSEC_VERBOSE=y CONFIG_SYN_COOKIES=y
You may also want to apply a number of patches, depending on your needs.
If you need to support those pesky Windoze boxes, you will need to deal with PPTP. You have two choices, run PoPToP or some other PPTP server on your firewall, or tunnel it through to an internal RAS server. This deals with PopTop.
Your modules.conf file may require some or all of the following
alias char-major-108 ppp_generic alias tty-ldisc-3 ppp_async alias tty-ldisc-14 ppp_synctty alias ppp-compress-18 ppp_mppe alias ppp-compress-21 bsd_comp alias ppp-compress-24 ppp_deflate alias ppp-compress-26 ppp_deflate
See Windows Client section of my VPN notes for how to setup windows.
Now Windoze has a nasty habit of prepending the first domain your computer ever connected to to the hostname when doing authentication, so you should apply the patches to strip that and to force mppe from Martin Mulers home page.
IPSEC is basicly IPV6 security backported to IPV4. It consists of a key excahnage daemon that sets up the session, and kernel code to do tunneling and encrypting.
Freeswan is the linux ipsec implementation for kernel up to and includeing the 2.4 series (2.6 will have native ipsec support, though will likely still use the IKE daemon). Straight up, it works pretty good for linking two linux firewalls.
In the real world, you have to interoperate with other things. You will probably want the X.509 patch to support user certificates for mobile users and the native W2K client. You will proabably also want the NAT-Traversal patch for clients behind firewall. This adds stuff like encapsulating the ipsec protocol in udp. There is also a single DES patch, for when you can't convince the system administrator of some large companty to replace all his gear with newer stuff.
There is a superFreeswan that includes this (except the single DES) and more, like additional algorithms, but is tends to lag the real freeswan a bit.
Super-High-Speed Mod. A number of serial chipsets on modern motherboards can, in reality, can run much faster than 115kbps, some up to 1Mbps. This patch, along with the use of setserial, lets you access these speeds.
You will need these kernel and PPP patchs or download the pre-built stuff from the PoPToP site. There is also a jumbo patch that adds smbpassord support, MPPE, and the strip-domain and require-mppe patches.
Make sure you compile PPP and all this as modules. There seems to be a problem with compiling it into the kernel. There is a HOWTO being written.
Starting with 2.6.16, MPPE comes with the kernel, yeah! IPSEC too. Now the only patch is for Layer 7 packet classifier, and imq
First off, check out the Linux IP Masquerade page.
You must also arrange to have the appropriate modules loaded on re-boot. Add an rc file which does the following:
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc
...
Netmeeting and other conferencing software is a firewall nightmare. Due to it's retarded use of UDP and TCP it can't be run through a standard firewall (unless it is restricted to a single internal IP address).
Netmeeting uses the Internet Locator Service (389/tcp), User Location Service (522/tcp), H.323 call setup (1720/tcp), T.120 (1503/tcp), Audio call control (1731/tcp). The H.323 call control and audio/video streaming use dynamically assigned TCP and UDP ports. The port negotiation is via an encrypted channel, just to be difficult.
Netmeeting also requires a server for rendezvous. The best idea is to place a hardened Netmeeting server or MCU from Whitepine on Linux or Solaris in the DMZ to handle this.
There is a masquerading module for linux that currently handles the audio conferencing. it can be found in the latest netfilter source.
There is a Knowledgebase article 158623 about Netmeeeting, the Resource Kit and a document on Firewalls.