not to be butthead or anything, but.. >it's possible that a cisco box, running their embedded IOS instead of linux would be a touch faster
highly unlikely. >there are several advantages to having a DMZ for your webservers and hiding the application and database servers on the inside, don't you think? of course. >Having hardware appliances might make it easier to configure this has nothing to do with 'hardware'. but, yes, appliances are typically easier to configure. but then again, iptables isn't that hard to setup. >No need to worry about patching/locking down anything else, like you'd have to consider with a linux box. run debian stable and simply use iptables to lock everything down. it's really, really easy. >ever tried to cut down a tree with a swiss-army knife saw-blade? no. okay, so it sounds like the summary is: "i don't have time/energy to invest in learning how to do this with linux, so i'm going to throw money at the problem to make my life easier - does anyone know of a firewall appliance?" this is a *perfectly valid* reason for wanting an appliance, but this is your reasoning, no? i was just curious about any specific reasons you had for not just using iptables, because i'm sure there must be some good reasons for it (i've recently been told that iptables doesnt work well w/ multiple vpn sessions for example.) sounds like you should just go w/ pix - but at least buy 'em from ebay. ;-) Josh Coates http://www.jcoates.org -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ryan Byrd Sent: Tuesday, March 08, 2005 11:50 AM To: Provo Linux Users Group Mailing List Subject: Re: creating a DMZ -- seeking firewall advice > but hey, you may actually *need* to upgrade for a good reason - but what > *exactly* do you need that your iptables boxes cannot provide for you (aside > from the feel-good cisco brand) ? we'll, it's possible that a cisco box, running their embedded IOS instead of linux would be a touch faster, but regardless of whether it's two linux boxes running iptables or two hardware firewalls, there are several advantages to having a DMZ for your webservers and hiding the application and database servers on the inside, don't you think? Having hardware appliances might make it easier to configure, too, because, well, all the hardware firewall does is, packet filter. No need to worry about patching/locking down anything else, like you'd have to consider with a linux box. In a very over-general sense, too, dedicated tools seem to work better than multipurpose ones (ever tried to cut down a tree with a swiss-army knife saw-blade?) so, does anyone have any experience with hardware firewalls? mrb .===================================. | This has been a P.L.U.G. mailing. | | Don't Fear the Penguin. | | IRC: #utah at irc.freenode.net | `===================================' .===================================. | This has been a P.L.U.G. mailing. | | Don't Fear the Penguin. | | IRC: #utah at irc.freenode.net | `==================================='
