I reviewed FireWall-1 for UnixWorld's Open Computing, October issue
(which won't be on the streets until Sept 10).
Essentially, FireWall-1 performs packet filtering within the kernel,
after the device driver and before the Internet layer of the TCP/IP
protocol stack gets a crack at it. You can do very sophisticated
packet filtering, that is, accept/reject/log packets based on address,
network, protocol/port. Currently, only Sun 4.1.3 and Solaris
are supported. You can control it via the command line or a GUI.
It also can do things that no router or host based packet filter can
accomplish--create dynamic openings in the access control list. For
example, an outgoing FTP control connection might send a PORT request
to the remote server. FireWall-1 'remembers' the PORT connection and
opens a window for the return connection from the server's data port.
After the connection is closed (or times out), the window is closed.
FireWall-1 can also handle RPC services, such as NFS. I tried NFS
both with filtering on and off, and the difference in performance
was less than 1-5% (over an Ethernet connection). Not that you should
send NFS through your firewall...
FireWall-1 drops source routed packets by default. There appeared no
way to control this behaviour. You cannot add authentication to
this model, unlike proxy-based firewall schemes (like TIS fwtk). Also,
for $19-40,000, it seems expensive for a floppy disk and
a 100+ page manual. Not that there isn't a lot of work in it. They
simply based the price on the cost of other firewall solutions. There
is a 'starter kit' for $10k for small sites.