On 4/30/06, Stuart Henderson <[EMAIL PROTECTED]> wrote: > > On 2006/04/30 06:34, S t i n g r a y wrote: > > Now what i want to know , maybe is O T in this list > > but what is the diffrence , i mean pf in openBSD is > > refered to as a firewall for home or small offices ? > > why is that , i mean what is the criteria of an > > enterprise firewall what is the diffrence between pf & > > MS ISA / cisco pix or checkpoint ? > > performance ? stability or features ? > > marketing and a manager-friendly gui.
I must say though, a well designed gui can be a great help in managing a set of firewalls, or a firewall with complex rules. I like pf for the cleanliness of syntax and simplicity of doing things, but the guy who ran the checkpoint firewalls for 50+ sets of firewalls and 2000+ rules across them all told me he would not have been able to manage it with pf, I did not believe him. Now that I'm managing a small bunch of checkpoint boxes with a few hundred rules, and some vpns, it *does* make things easier. I know about the traditional argument of making complex things too simple, but simplifying things for an experienced admin is good thing. Lusers shooting themselves in the foot is not my problem. And anyone thinking of implementing an ISA server is simply asking for it :) PIX is another bother. Fantastic idea, copying checkpoint's gui. But when you use it, and it tells you, "this feature is not available in the gui", that rapidly becomes old. As far as performance goes, anyone implementing any kind of firewalls for a business should be using hardware that's relatively recent - unless you have ungodly amounts of specialized rules, performance should not be an issue.
