<quote who="timothy bauscher"> > I love Linux, but I believe in > finding the best solution for a > problem. My question is not which OS > is better for a firewall, but which > one you would use (or do use).
depends. is this a TRUE firewall or is it a FAKE firewall bywhich it does NAT ? if its a TRUE firewall, then i would probably use freebsd because of the good bridging support. I only started playing with bridging back in november of last year, and its great. IPFW in freebsd works on bridged interfaces, DUMMYNET works on bridged interfaces which allows VERY EASY traffic shaping.. i haven't heard much on people using linux to do bridged stuff, so i didn't investigate it when i made the decision, i knew a lot of folks who used free/open bsd for bridged networking. Bridged networking, incase you don't know, runs the NIC cards in IP-less mode, so they pass traffic between the 2 interfaces, but have no IP address, so you cannot connect to the interfaces. Makes for much more security. At the same time, because they are transparent, you don't have to change any routing, just plug it in and it goes. thats one of the biggest advantages. at the company where i work at I run freebsd servers with 4 port NICs to sniff traffic on the t1s, if i need to take the machine down for some reason, i unplug the routers from them and plug them into the switch, within seconds the network is available again and i don't have to touch a thing in the routing tables on any machine. Now if your a linux newbie then freebsd may not be the best thing, it is much more complicated to use, and to maintain compared to debian in my experience thus far. less hardware is supported, compiling a kernel is harder due to lack of documentation on available kernel options, and you have to do manual dependency checks on the kernel config, unlike menuconfig on linux. that said, i like freebsd for it's kernel-level features like bridging, high speed networking, but i really hate the distribution. i don't like ports, i don't like the fact if i want to install a package via sysinstall that it has to redownload the INDEX file and parse it(which takes a long time even on a t1 with a 1Ghz P3). there are several other complaints i have about the freebsd distribution, so i'd kill for a debian freebsd. if your building a NAT box, and if its ONLY a NAT box i would use freebsd too for the reasons(networking) outlined above. but if its more then a NAT box (my home NAT runs dozens of services and has a gig of ram in it), i would use debian/linux oh and i would rather use freebsd, then use linux kernel 2.4 at this point, if you need the "features" of 2.4. nate