As far as I know, some VPS/Cloud server hosts offer hardware firewalls. Technically speaking, is that something Linode could offer?

Heh, nice timing. This came up a couple weeks ago. While that thread is 3 pages long, by cutting out the flames it can be reduced to:

1.) "Why? iptables."

2.) Linode saying "... like all requests, we appreciate it and will discuss it".

I am curious what benefits a hardware firewall would have for you, over iptables on your nodes.

_________________
Matt Nordhoff (aka Peng on IRC)

Is there even really such a thing as a "hardware firewall" anymore? Most so-called "hardware firewalls" (even enterprise-grade) still seem to be doing most of the work on general-purpose processors, although I could be simply ignorant.

In a virtualized environment where dedicating nodes to a task is very cheap, there's no particular reason why one or more Linode 512 couldn't be firewalling traffic (running a stripped-down dedicated distro) for a cluster of larger linodes. Traffic pooling and private networks make it feasible, and you could probably convince Linode to permanently null-route all your "internal" linodes to the outside world so that you can make sure everything goes through the firewall linode. Of course, "very cheap" is not the same as "free".

EDIT: Anecdotally, a local medium-sized ISP decided that, instead of paying Juniper or Cisco hundreds of thousands or millions of dollars for hardware, they were going to spend the money to hire a bunch of sysadmins and software developers and do everything in-house with generic enterprise-grade rackmount servers. In the end, they still saved a bunch of money compared to buying Cisco/Juniper, and the extra flexibility that they gained let them build out some interesting asymmetrical bonding solutions for customers (bonding DSL and cable into a single logical connection without even adding an extra layer on the PPPoE-based DSL lines). Juniper's MLPPP implementation can't do that. Then again, we've had a ton of long debates about what exactly constitutes "enterprise-grade" on DSLReports.