Date: Wed, 02 May 2001 09:28:01 -0400 From: Nathan Vidican <webmaster@wmptl.com> To: questions@freebsd.org Cc: Rob <rob@robhulme.com> Subject: Re: IPFW versus Hardware firewalls Message-ID: <3AF00B61.F508D2A6@wmptl.com> References: <LPBBLIHFHEKDFLJEBFJGKEJKDCAA.rob@robhulme.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Rob wrote: > > Hi, > > I regularly administer some FreeBSD servers, and more recently (as specified > in another email) I will be required to implement several firewalls. > > >From what I 'hear' everyone seems to go the hardware based firewall route - > with Cisco having the most well respected name (at least for marketing > purposes). > > I like BSD, I have been very impressed with the stability and security of > the system. We don't generally see NT boxes on our network with >100 days > uptime, but this seems to be quite common with BSD. I would be interested in > looking into using FreeBSD with IPFW for our firewalls - but I am interested > in your opinions. > > What are the advantages of using IPFW over say Cisco's products? What are > the disadvantages? > > What experiences have you had of using either? > > Are there any comparisons on the net? > > Many Thanks > -Rob > > -------------------------------- > http://www.robhulme.com > http://www.christianunion.org.uk > > "...and scantily clad females, of course. Who cares if it's below zero > outside." -- Linus Torvalds > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message Personally, I take preference to using a BSD box over a hardware firewall. Consider that all hardware firewalls have some sort of software foundation to them, in many cases actually based on BSD code. The biggest advantage, (as I see it), to a hardware based firewall as opposed to a BSD box running as a firewall, is that it boots very quickly, and usually from a ROM. Both offer similar features, (eg plugable hardware data encryption accelerators), with similar capabilities. I find though, that a machine running BSD gives more flexability, and here's why: - The machine can be used to do more than just packet filtering / NAT - The interfaces are much cheaper than most proprietory stuff, (eg: NIC cheaper than Cisco ethernet module) - Dependant upon the system used, you can have the capability to utilize more interfaces, (I have an OpenBSD based firewall with 5 10/100 NIC's in it for example) - P.C.s running as firewalls are generally much cheaper (this being the big one) In terms of performance, I really do not know. I've never really dealt with a 'dedicated hardware firewall', I have implemented packet filtering (ip firewalling) on a Cisco router before though. Just my two cents, but I'd stick with a BSD box to do the firewalling for you. Nathan Vidican webmaster@wmptl.com Windsor Match Plate & Tool Ltd. http://home.wmptl.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AF00B61.F508D2A6>