creating a DMZ -- seeking firewall advice

Eric Jensen eric at
Tue Mar 8 12:22:48 MST 2005

Ryan Byrd wrote:

>>but hey, you may actually *need* to upgrade for a good reason - but what
>>*exactly* do you need that your iptables boxes cannot provide for you (aside
>>from the feel-good cisco brand) ?
>we'll, it's possible that a cisco box, running their embedded IOS
>instead of linux would be a touch faster, but regardless of whether
>it's two linux boxes running iptables or two hardware firewalls, there
>are several advantages to having a DMZ for your webservers and hiding
>the application and database servers on the inside, don't you think?
>Having hardware appliances might make it easier to configure, too,
>because, well, all the hardware firewall does is, packet filter. No
>need to worry about patching/locking down anything else, like you'd
>have to consider with a linux box. In a very over-general sense, too,
>dedicated tools seem to work better than multipurpose ones (ever tried
>to cut down a tree with a swiss-army knife saw-blade?)
>so, does anyone have any experience with hardware firewalls?
>| This has been a P.L.U.G. mailing. |
>|      Don't Fear the Penguin.      |
>|  IRC: #utah at   |
As far as efficiency, I gathered from various research that the Linux 
distros that are focused on being firewalls and pretty good at it and 
not nearly as much bloat to trim from just a generic Linux install.  And 
if Cisco does all the "features" that most commercial firewalls do, I.E. 
employee micromanagement, then I doubt that are all that efficient 
anyway.  Our Firebox does what a firewall should, no doubt, but it does 
a very large list of other things as well.  I think if you take a Linux 
distro that intends to be nothing but a firewall, you would end up being 
more efficient then a commercial device.  But I'm not a Firewall guru by 
any means, just spent a few months using our Firebox and some casual 

Eric Jensen

More information about the PLUG mailing list