[ previous ] [ next ] [ threads ]
 
 From:  Peter Allgeyer <allgeyer at web dot de>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] RE: [m0n0wall] The future
 Date:  Thu, 13 Oct 2005 11:45:14 +0200
Hi Chris!

Am Mittwoch, den 12.10.2005, 20:42 -0400 schrieb Chris Buechler: 
> first, I don't want anyone to take any of my comments as personal
> attacks.  I respect others' opinions, and am just offering my
> counter-opinion.

No problem here. I do like it. Manuel, you forgot to say: May the
flamewar begin ;-) Can anyone remind on distribution wars on
userfriendly (see [1], [2])? Very funny :-))

> > * due to its emphasis on security, as Manuel said it.
> >  It's not only build with security in mind, there are also a lot of
> >  security related protocols like openssh which were actively pushed by
> >  the OpenBSD team.
> 
> already debunked that as not really applicable in a firewalling scenario.
Yes? My mind tells me, that if anybody writes such a secure software
he'll also take a deep look into his OS code. The audit process of
OpenBSD convinces me.

> pf is definitely the best packet filter.  I don't think even netfilter
OK, no discussion on that.

> > * carp/pfsync: this is the real highlight of OpenBSD and the real cause

> this is Open's only advantage, dealing with anything on something
> other than its native OS is going to be a little more difficult.  But
> Max Laier, primary porter of pf to FreeBSD has been very helpful on
> the freebsd-pf list for the pfsense devs when needed.  He went out of
> his way to email us when he stumbled upon the project and offer up
> help if any was needed.  Daniel Hartmeier, one of the primary pf devs,
> also frequents the freebsd-pf list.  The FreeBSD pf port is not
> treated like a bastard step child by any means (if you'll excuse my
> bluntness).  :)
All that effort tells me, that it is more than "a little more difficult"
to port the code. Although I must admit to the point that the pf port
isn't "treated like a bastard step child by any means".

> > * OpenBSD IPsec implementation (isakmpd), giving us NAT-T, xauth (for
> >  cisco vpn clients for example) and filterable (!) Interfaces (one of
> >  the major points why I looked at OpenVPN in m0n0)
> 
> ipsec-tools provides all the above and then some.  NAT-T kernel
> support isn't in FreeBSD just yet though, unfortunately.  It is in
> NetBSD.  No idea if/when it'll be supported in Free.
I can't see the availibility of filtering interfaces (if we don't want
to go with the gif interface). Also it isn't *yet* in FreeBSD. Another
software that needs to be ported into the FreeBSD kernel? Sounds just
like the patchwork I know from some older linux kernel versions. 

> > * Hardware encryption: suports not only the soekris cards but also
> >  VIA C3 and the RNG of the Intel motherboards
> 
> so does FreeBSD 6.0.

> > * better bridging code: STP support and able to be filtered by pf
> 
> so does FreeBSD 6.0.  (or maybe just pfsense...I can't recall if they
> just imported Open's if_bridge, or if it's native in 6)
Another backport, see above.

> > OpenBSD uses one filtering language
> 
> which actually turned out to be a disadvantage for some reason.  The
[..] 
> (sorry for the lack of details, I'm not a developer in
> that camp, I just hang around enough to know what's going on and do
> testing, and keep the supporting network/server infrastructure
> rolling)
And I do highly honour this. But details were really interesting in this
point. 

> in short, they ditched the pf captive portal and are back to pf for
> firewalling, ipfw for captive portal.
There are times I want to throw everything away because it did not work
as I expect it to do. But since I don't know the details, I won't form
myself a completing opinion about that.

So why not using FreeBSD6 for pfsense and building m0n0wall around
OpenBSD? Has it all to be the same?

BR,
  PIT

[1] http://ars.userfriendly.org/cartoons/?id=19990319
[2] http://ars.userfriendly.org/cartoons/?id=19990227


---------------------------------------------------------------------------
 copyleft(c) by |           Linux: Where Don't We Want To Go Today?  --
 Peter Allgeyer |   _-_     Submitted by Pancrazio De Mauro, paraphrasing
                | 0(o_o)0   some well-known sales talk
---------------oOO--(_)--OOo-----------------------------------------------