A Dedicated Firewall for a Small Town?

Germ-X asks: "My city's IT Manager is proposing a dedicated firewall system to protect the IT infrastructure. The solution, that is going to be presented to the City Council, is based on Windows 2003 and Symantec Enterprise firewall. It will be running on an HP DL380 G4, and will cost the city about $13,000. Most of that amount will be going to software licenses. I don't know the features of Symantec Enterprise Firewall, I just think that the city could do much better going for an applicance kind of solution, even if they stay with Windows. What do you guys think? Any other ideas? Keep in mind that this is a small town and I don't think we can count on any big time sysadmins, like most of yourselves, being on staff."

Re:OpenBSD?

[major.morgan]

While I agree that BSD/pf is potentially one of the best, and with no licensing costs perhaps the cheapest - but did you all read the last sentence of the original question?

Getting an OpenBSD box up, configuring the routing and firewall can be learned, perhaps even in a week, but that assumes someone with a pretty damn good low level understanding of networks and protocols. You or I might do this, but it's at the opposite end of the spectrum from Windows/Symantec Firewall.

monowall

[bats]

How can there be no mention yet of monowall? Its an excellent tool for simple reliable firewalling. We're running it off an old P2 class machine. The system software is on CD with our config file on a floppy. Its been completely reliable for going on a year and even this old machine happily keeps our T1 maxed out without blinking an eye. We actually replaced a failing WatchGuard box ($$) with monowall, increasing the feature set at near zero cost. The actaul hardware is a retired desktop (free) and we just added 3 PCI NICs (~$20 each). Eventually, we'll probably buy a rackmount system built for monowall, but even that only runs $500-$800.