Sorry for the long delay in responding to this. I've been busy adding new
features to the PIX.
Some of the comments concerning the PIX is a little off. The PIX is
not a router.
The PIX works great as a firewall. We keep connection state on all TCP
and will drop inbound datagrams that have on connection object allocated for
A quick overview of how the PIX works.
The PIX has two ethernet interface: inside and outside.
IP datagrams arriving on the inside cause a new address to be allocated from
a pool of global addresses and used to translation the source of the outbound
datagram. If the datagram is a TCP datagram, a connection object is allocated
and the foreign IP address and all the port numbers are saved.
When a datagram arrives from the outside, the translation table is searched
for an active translation. If none is found the datagram is logged and
If a translation is found, and the datagram is a TCP datagram, the connections
hosts are searched for this TCP connection. If a connection object is not
datagram is logged and dropped. Normally no connection object can be created
As you can see, this gives us great filtering power with a limit amount of
We have tested the box to 10,000 connections with only a small performance
We pump about 600-700K through a typical TCP connection.
Network Translation, Inc.