I used IPFilter for quite some while and was very confident of its abilities. It could be configured down to the last detail, and for me it was easier to comprehend than IPChains. Much easier. I ran IPFilter exclusively on OpenBSD, which is supposedly the safest Unix version available, and through version 2.9 the IPFilter material came on the install CD (which was only $30). For some obscure licensing reason, the creator of IPFilter no longer allows OpenBSD to bundle IPFilter. IPFilter can be run on other distros, of course.

I never was able to get those firewalls talking to each other, so I tried SmoothWall. I had my first firewall working in 20 minutes, and that included downloading the code, burning a CD, installing a new hard drive, temporarily hooking a CD up, and running the install. It couldn't have been easier. Once I had two of them setup it took me about two hours to figure out how to connect them via IPSec, now that I am not making the same stupid mistakes it adds about five minutes per machine to connect them.

To call the creators of SmoothWall "mega jerks" is, however, awfully mild. Definitely Daniel Bernstein class. Fortunately, I doubt that there is much reason to care. When I was using the OpenBSD/IPFilter system I was running DJBDNS in them, which exposed me to more of Bernstein than the SmoothWall experience exposed me to Richard Morrell.

Another possibility that might make sense would be to use one of the Webmin tools to make IPChains or IPTables understandable. When I was starting this whole mess a year ago I don't think these were available, but there are several listed now on the Webmin site:

http://webmin.thirdpartymodules.com/?page=Networking

But SmoothWall is, by far, the easiest solution I've seen.

Van