Originally posted here by chsh

Not being up on VPNs, wouldn't this be a function of your VPN server, not of the firewall?
Ummm, no not necessarily. Many firewall products terminate VPN conntections and
either use their own authentication database or pass that chore on to another authentication
service like RADIUS.

Compared to what?
Well checkout something small like the Nokia IP330 running Checkpoint NG
Out of the box, it crushes any netfilter based product I can think of. Sure you can
probably glue a box together and gain some of the features. If you use a commercial product, you usually have a hard time compiling in new features if the vendor even allows it. If you roll your own, lots of things are possible if you have the time. I just don't have that kind of time.

I think almost all *nix firewalls are capable of being run off read-only media like CD. [/B]
Really. Cool which ones? I would love to check em out..