Linux Firewall or Router w. SPI

I know I could probably start this on the hardware side of the boards, but I am curious as to people's opinion on whether a PC with a firewall like "Smoothwall" installed would be more secure, or perform better then my D-Link Router with Stateful Packet Inspection (SPI) and Network Address Translation (NAT) enabled?


PS: Just so you understand the complexity of my network. I currently have several machines behind my router, none of them have firewall software, nor do I want them to have that software. I am considering adding/replacing to the router with the Linux Firewall, if it is "justifiable".

How about both? Although I believe a router could be adequate enough or firewall would be good enough I also believe it couldn't hurt if you have them both reinforcing each other and optimizing the security and well-being of your computer...

Would you have the router in front of or behind the firewall

I think behind... I'm not sure though.

<insert opinion here>

The answer to the initial question of 'which is better...' is both.

If you can afford a top-notch hardware FW abstraction, such as a Cisco Pix then go for it.
If you are talking about the difference between a Linksys router (whose 'firewall' functions are at best, state-enhanced routing statements) and a machine that is running a stateful, deep-packet inspection firewall package on appropriate hardware for the traffic levels at 3*Peak+Average, built by someone who has a handle on the phrase, internet security -- then perhaps not.

You also need to be careful as to how you place multiple inspection devices in line; if the system makes use of NATs (network address translation tables) and you end up with a double NAT, your ability to VPN is greatly reduced to nominally zilch.

Personally I run a firewall of my own design -- in that I chose the OS, and run the pf firewall with my own configurations.

There's a great deal to consider when choosing to control one's own security destiny -- but the road, while long and arduous is worth the trip.

I am not sure that I completely understand your answer, however, I do understand that a Cisco Pix would be optimal, but the Pix is not in my budget.

I also understand that a double NAT could be problematic.

While I could disable NAT and even SPI on the router, I guess my question is which offers a more secure, but yet workable firewall. I am not a company, so I don't have a ton of machines, I am not into gaming, however, I like the idea of being able to stream video. VPN with my university is also a requirement, which uses Cisco client software. I guess I am not sure what my router could offer to the security mix.

I am very concerned about Chinese hackers. They seem to be everywhere these days. My whole life is on my hard drives, and I want to protect my sensitive data. Yes, I do backup my data, as matter of fact in multiple ways, even with on-line, off-site facilities. I just want to keep the bad guys out, but I am not a security expert, and I am not able to afford one either. I don't understand how hackers do their thing, but I also don't want to try to do the types of things they do.

Thanks for your help.