From owner-freebsd-questions@FreeBSD.ORG Thu Feb 12 16:25:20 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32D0316A4CE for ; Thu, 12 Feb 2004 16:25:20 -0800 (PST) Received: from lakemtao08.cox.net (lakemtao08.cox.net [68.1.17.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0B2043D1F for ; Thu, 12 Feb 2004 16:25:19 -0800 (PST) (envelope-from kitbsdlists@HotPOP.com) Received: from vixen42 ([68.109.49.234]) by lakemtao08.cox.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20040213002517.LICT2412.lakemtao08.cox.net@vixen42>; Thu, 12 Feb 2004 19:25:17 -0500 Date: Thu, 12 Feb 2004 18:23:56 -0600 From: Vulpes Velox To: ppi@amug.org Message-Id: <20040212182356.46c04e17@vixen42.> In-Reply-To: <20040212203745.GU20527@wyeth.trail.calm> References: <20040212203745.GU20527@wyeth.trail.calm> X-Mailer: Sylpheed version 0.9.8claws (GTK+ 1.2.10; i386-portbld-freebsd4.9) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: questions@freebsd.org Subject: Re: Hardware vs software firewall on FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2004 00:25:20 -0000 On Thu, 12 Feb 2004 12:37:45 -0800 ppi@amug.org wrote: > I'm upgrading the hardware on my webserver. It will run FreeBSD > 4.9. > > I need to decide whether to use a hardware firewall (Cisco) or use > ipfw, ipf, pf, etc. > > The hardware firewall will increase my monthly server rental bill by > almost 30%. So I'm wondering if the significant extra cost is worth > it. > > What kind of performance hit will result from using ipfw, ipf or pf? AFAIK you will not get any noticeable performance hit from any of those. > I would like to avoid the extra expense of the hardware firewall. > > Can anyone offer an opinion on this matter? Any good reasons to use > one over the other? I personally don't trust hardware firewalls any more than I trust a software firewall. Problems can occur in either and software is easier to update and ect. I really don't see how it makes a dif if something is written in Verilog or C or whatever. The only dif is one is easier to back work than the other.