Could anyone tell me the difference between a Hardware firewall and a Software firewall. Also which could be the best solution to protect my system. I have my website running on RedHat Linux 9.

The main difference is price. You'll pay more for a dedicated firewall rather than a little piece of software. I'm toying around with IPChains. You can setup a dedicated fw with a linux box and 2 nics

--Matt

Well you do also pay mostly for the GUI development. Like there are firewalls out there which are based on netfilter and just add a GUI and managing tool for Winblows to it ... if I'm not mistaken the WatchGuard series is such a kind of firewall.

Use iptables if you are on version 2.4 of the kernel or higher. iptables will do stateful inspection of the packets.

Well what are traditionally called "hardware" firewalls are more properly labeled "firmware" firewalls. They generally have very few moving parts and the firewall code itself is loaded from some type of NVRAM. "Software" firewalls can mean anything from specialized software running on dedicated hardware, to just an extra program you install on a normal system. Usually "software" firewall means an extra program you add. The middle ground would cover both "appliances", which are very close to the same as a firmware firewall, but actually have hard disk drives and run fairly standard hardware, to a "bastion host" which is just a dedicated host running a particular set of software for firewalling and maybe proxying.

You can create either a software firewall or a bastion host on Linux, depending on your resources. A firmware firewall would cost a significant amount of money (such as a Cisco Secure PIX, Netscreen, etc...) and an appliance would also cost, although generally not as much (some companies for instance make IPCop appliances that sell for several hundred dollars).

I did leave one possibility out: You could buy a consumer (or "SoHo") firmware firewall, such as Linksys, D-Link, Netgear, Belkin, etc... Those would cost between $80 and $150, depending on the model and any special promotions. The difference is those units are not very configurable, they almost never have a true DMZ, and they're usually very limited in the amount of IPs they can support.