In praise of IPCop
Here are runPCrun we use a lot of equipment - servers, routers, switches, workstations, if it has a plug then chances are we've opened the box, took a good sniff and installed it.
Since we have a large amount of clients it is good sense for us to standardise on what we use to make our life easier. One of the most important thing to standardise is the firewall. Our choice of firewall needs to have the following features:-
Affordable - it would be hard for us to recommend our SOHO clients to spend £1000's on expensive kit - they'd simply refuse. Also, we have seen firewalls that come with features locked unless you pay extra license fees. One firewall we replaced for a new client actually only had room for 3 port forwarding rules!
Flexible - Every client is different. Some clients have multiple internal machines on non standard RDP ports, some have FTP servers with strict IP lists. Once client wanted to block port 25 from all machines except one. The firewall we choose can do all of these and if not, chances are somebody has written an open source module that can be installed.
Easy to Manage - We have seen some firewalls that can require you to go on a course just to add a simple port forwarding rule. Of course, you do need to know what you're doing when working on any firewall but a easy to understand user-interface goes a long way to help. Our firewall has a simple GUI and if you want to get your hands dirty, a full command line interface.
Stable - You need a firewall that measures it's uptime in months and years not hours and minutes. Our choice has been running in some installations for over 5 years without a single problem. Now that is staying power.
The firewall of our choice is IPCOP It's free and it's fantastic!!
We use old P3 based Dell's but for our clients we like to use small mini-ITX based units for increased reliability. These cost approx. £300 + VAT which for our clients is reasonable. We have lost track of the number of times we have taken on a new client and found a complex, over specced firewall in place. Firebrick, Watchguard all good products but a nightmare to manage so they quickly find a new life on ebay or we simply chuck them.