Hi Chris!
Am Mittwoch, den 12.10.2005, 20:42 -0400 schrieb Chris Buechler:
> first, I don't want anyone to take any of my comments as personal
> attacks. I respect others' opinions, and am just offering my
> counter-opinion.
No problem here. I do like it. Manuel, you forgot to say: May the
flamewar begin ;-) Can anyone remind on distribution wars on
userfriendly (see [1], [2])? Very funny :-))
> > * due to its emphasis on security, as Manuel said it.
> > It's not only build with security in mind, there are also a lot of
> > security related protocols like openssh which were actively pushed by
> > the OpenBSD team.
>
> already debunked that as not really applicable in a firewalling scenario.
Yes? My mind tells me, that if anybody writes such a secure software
he'll also take a deep look into his OS code. The audit process of
OpenBSD convinces me.
> pf is definitely the best packet filter. I don't think even netfilter
OK, no discussion on that.
> > * carp/pfsync: this is the real highlight of OpenBSD and the real cause
> this is Open's only advantage, dealing with anything on something
> other than its native OS is going to be a little more difficult. But
> Max Laier, primary porter of pf to FreeBSD has been very helpful on
> the freebsd-pf list for the pfsense devs when needed. He went out of
> his way to email us when he stumbled upon the project and offer up
> help if any was needed. Daniel Hartmeier, one of the primary pf devs,
> also frequents the freebsd-pf list. The FreeBSD pf port is not
> treated like a bastard step child by any means (if you'll excuse my
> bluntness). :)
All that effort tells me, that it is more than "a little more difficult"
to port the code. Although I must admit to the point that the pf port
isn't "treated like a bastard step child by any means".
> > * OpenBSD IPsec implementation (isakmpd), giving us NAT-T, xauth (for
> > cisco vpn clients for example) and filterable (!) Interfaces (one of
> > the major points why I looked at OpenVPN in m0n0)
>
> ipsec-tools provides all the above and then some. NAT-T kernel
> support isn't in FreeBSD just yet though, unfortunately. It is in
> NetBSD. No idea if/when it'll be supported in Free.
I can't see the availibility of filtering interfaces (if we don't want
to go with the gif interface). Also it isn't *yet* in FreeBSD. Another
software that needs to be ported into the FreeBSD kernel? Sounds just
like the patchwork I know from some older linux kernel versions.
> > * Hardware encryption: suports not only the soekris cards but also
> > VIA C3 and the RNG of the Intel motherboards
>
> so does FreeBSD 6.0.
> > * better bridging code: STP support and able to be filtered by pf
>
> so does FreeBSD 6.0. (or maybe just pfsense...I can't recall if they
> just imported Open's if_bridge, or if it's native in 6)
Another backport, see above.
> > OpenBSD uses one filtering language
>
> which actually turned out to be a disadvantage for some reason. The
[..]
> (sorry for the lack of details, I'm not a developer in
> that camp, I just hang around enough to know what's going on and do
> testing, and keep the supporting network/server infrastructure
> rolling)
And I do highly honour this. But details were really interesting in this
point.
> in short, they ditched the pf captive portal and are back to pf for
> firewalling, ipfw for captive portal.
There are times I want to throw everything away because it did not work
as I expect it to do. But since I don't know the details, I won't form
myself a completing opinion about that.
So why not using FreeBSD6 for pfsense and building m0n0wall around
OpenBSD? Has it all to be the same?
BR,
PIT
[1] http://ars.userfriendly.org/cartoons/?id=19990319
[2] http://ars.userfriendly.org/cartoons/?id=19990227
---------------------------------------------------------------------------
copyleft(c) by | Linux: Where Don't We Want To Go Today? --
Peter Allgeyer | _-_ Submitted by Pancrazio De Mauro, paraphrasing
| 0(o_o)0 some well-known sales talk
---------------oOO--(_)--OOo----------------------------------------------- | 