I had to put a firewall between our web servers and the database box. I'll confess I wasn't totally convinced it was worth the effort... but I finally did it.
Unfortunately, the device I chose (Linksys RVS4000) is a complete pooch. Oh sure, it has 1Gb interfaces on both sides but I'm getting way under 100Mb throughputs. The next device I tried is more of a traditional Firewall and doesn't appear to want to route private addresses (WatchGuard x55e).
So, for those of you who put firewalls between web and db servers, what do you use?
Note: Let's not debate the usefulness of said firewall, in this case it is a client requirement and not up for debate... I just want to get something working without a major performance hit.
If curious, this blog post has more details.
[Updated 10/9/2009] Once I flashed the WatchGuard to the latest major release upgrade (11.0.1) it handles all the routing properly. I'll know more about performance after some testing this weekend.
