The more I use netfilter (iptables) the more I love it. As for Microsoft, well, to start with it's Microsoft, so it is most likely ungodly expensive, the licensing will rape you (per user, per server, per connection, but don't put it past them to go to per hit so that you have to shell out a few pennies for every web hit.) To eliminate as many security issues as possible a firewall should be a firewall. Not some blown up os with many a secuiryt hole and alpha channel menus. Idealy, a firewall should be some sorte of embedded thing. But that's not going to be a reality for most homes, home offices, and small businesses. In comes a lightweight small free *NIX box. (Open, Free, Net BSD, Linux, etc.) Security problems can be minimized by only installing a minimum system with next to no services (ssh is all you need right?) and creating a good firewall. There are GUI tools, but it would be better to run these on a workstation then transfer the results to the firewall by ssh. Now the MS soultion. First, you need a box big enough to run Windows 2000. What's the minimum? p166 wit 128mb of ram? yeah, it will run on that, but not well. Get a decent box. 500mhz+ with at least 128mb ram, 256 is even better. You can get away with a 486 with 16-32mb RAM with Linux/BSD. Then, look at the cost of Windows 2000 Server. (You're not going to run Pro as a firewall!) Ouch huh? Now tack on the ISA stuff. Does it hurt yet? Did you forget to factor in that MS is moving to subscription based licensin in October and if you don't get current by then you'll loose and upgrade discounts? Painful isn't it. Then you have all the services that Windows 2000 will want to run by default. Ick. Sure you can close them off with the firewall, but you should be able to close them down before the firewall software is installed. Then theres the remote administraton thing. With UNIX ssh is all you need. With Windows 2000, you have to enable Terminal Services. Terminal Services is definitly something you don't want to deal with on a firewall. As for technical merits of the firewalls themselves, not the merits of the os: iptables just plain rocks. There's a reason we moved from MS firewall/proxy to Linux ipchains. I wasn't working here at the time so I can't tell you what it is, but read above and you should get the idea. iptables is easy, it can also be fustratingly hard. In most cases, easy. Doing redirection, transparent proxy/cache, and other nifty things gets interesting, but there's no lack of documentation. In the end, I strongly encourage you not to even consider microsoft or 3rd party software firewall running on a MS operating system. Very biased I know, but if you wanted an unbiased opinion, you wouldn't be asking a Linux Users Group. My firewall recomendations goes like this: embedded hardware device (Linksys, Netgear, and other little firewall router things don't count) Linux or OpenBSD unplug from network Andrew S. Zbikowski | Home: 763.591.0977 http://www.ringworld.org | PCS: 612.306.6055 They must not get baseball sized hail in Redmond. If they did MS would have realized HailStorm is a bad name for their new services.