[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] RE: [m0n0wall] The future
 Date:  Wed, 12 Oct 2005 20:42:47 -0400
first, I don't want anyone to take any of my comments as personal
attacks.  I respect others' opinions, and am just offering my
counter-opinion.

On 10/12/05, Peter Allgeyer <allgeyer at web dot de> wrote:
>
> My vote goes to OpenBSD, too. Why?
>
> * due to its emphasis on security, as Manuel said it.
>  It's not only build with security in mind, there are also a lot of
>  security related protocols like openssh which were actively pushed by
>  the OpenBSD team.

already debunked that as not really applicable in a firewalling scenario.


> * the integration of pf and carp - pf is IMHO the best filtering
>  language around (if you don't mention netfilter ;-)), very similar to
>  ipfiter (since it's a further development of it), with a lot of
>  features, ipfilter4 should also bring us, but how stable would it be?

pf is definitely the best packet filter.  I don't think even netfilter
stands up features-wise.  The one area Linux has an edge is fixups,
ALG's, whatever you want to call them - kernel-level stuff for
unbreaking stuff that gets broken by NAT.  Though I hear they aren't
all that great anyway, and there are some hacks to fixing the most
common problems (userland daemons, like pftpx, sipproxd, Frickin PPTP,
and others, though I know Manuel doesn't like userland stuff for that
purpose)


> * carp/pfsync: this is the real highlight of OpenBSD and the real cause
>  not choosing Linux/netfilter. A HA application for filtering, just
>  like we know it from the good old Nokia appliances running the very
>  expensive CP software. I can't imagine any better point for OpenBSD as
>  this one, having stateful HA interfaces.
>  Sure both, pf and carp are ported to FreeBSD as well, but nothing is
>  better than the original.

this is Open's only advantage, dealing with anything on something
other than its native OS is going to be a little more difficult.  But
Max Laier, primary porter of pf to FreeBSD has been very helpful on
the freebsd-pf list for the pfsense devs when needed.  He went out of
his way to email us when he stumbled upon the project and offer up
help if any was needed.  Daniel Hartmeier, one of the primary pf devs,
also frequents the freebsd-pf list.  The FreeBSD pf port is not
treated like a bastard step child by any means (if you'll excuse my
bluntness).  :)


> * OpenBSD IPsec implementation (isakmpd), giving us NAT-T, xauth (for
>  cisco vpn clients for example) and filterable (!) Interfaces (one of
>  the major points why I looked at OpenVPN in m0n0)

ipsec-tools provides all the above and then some.  NAT-T kernel
support isn't in FreeBSD just yet though, unfortunately.  It is in
NetBSD.  No idea if/when it'll be supported in Free.


> * Hardware encryption: suports not only the soekris cards but also
>  VIA C3 and the RNG of the Intel motherboards

so does FreeBSD 6.0.


> * better bridging code: STP support and able to be filtered by pf
>

so does FreeBSD 6.0.  (or maybe just pfsense...I can't recall if they
just imported Open's if_bridge, or if it's native in 6)


> OpenBSD uses one filtering language
>

which actually turned out to be a disadvantage for some reason.  The
pfsense devs had captive portal ported to pf, with the idea that it
would then be easier to use it on Open.  The prospects of using Open
were dropped after some people got some images working, and using one
packet filter for the captive portal and firewalling turned out to be
difficult.  (sorry for the lack of details, I'm not a developer in
that camp, I just hang around enough to know what's going on and do
testing, and keep the supporting network/server infrastructure
rolling)

in short, they ditched the pf captive portal and are back to pf for
firewalling, ipfw for captive portal.

cheers,
-Chris