[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] RE: [m0n0wall] The future
 Date:  Thu, 13 Oct 2005 16:49:00 -0400
On 10/13/05, Peter Allgeyer <allgeyer at web dot de> wrote:
> No problem here. I do like it. Manuel, you forgot to say: May the
> flamewar begin ;-)

no kidding.  ;)

> Yes? My mind tells me, that if anybody writes such a secure software
> he'll also take a deep look into his OS code. The audit process of
> OpenBSD convinces me.

yes, it is well audited without a doubt, and sure, it's definitely
secure.  But we're not comparing it to something that's slopped
together half-cocked by developers who half don't know what they're
doing.  If we were comparing it to Linux, I'd give you that one.  ;) 
(calm down Linux fans, I'm at least half joking)  ;)

My point still stands - 2 years of m0n0wall and 0 security patches
required because of FreeBSD.  Open couldn't be any more secure.

> All that effort tells me, that it is more than "a little more difficult"
> to port the code.

not really.  The main problems thus far in 6 have been people
committing other things that would break CARP, or something like that.
 That's happened...I believe twice.

In 5.x, it was a completely different story.  It'd kernel panic that
it was going out of style.  pfsense started on 5.x, and moved to 6.x
and hasn't looked back

> I can't see the availibility of filtering interfaces (if we don't want
> to go with the gif interface). Also it isn't *yet* in FreeBSD.

it's all fine with FreeBSD except the NAT-T support.  The ipsec-tools
project has a patch.

I don't see that small change being a big deal.  Even with 4.x, we
have a number of patches specific to m0n0wall.

> > > * better bridging code: STP support and able to be filtered by pf
> >
> > so does FreeBSD 6.0.
> Another backport, see above.

so is FreeBSD's current dhclient, they all work just as well as they
do on Open.  Just more examples of how when things are better in Open,
they make their way into Free.

> So why not using FreeBSD6 for pfsense and building m0n0wall around
> OpenBSD? Has it all to be the same?

no, but we need to make sure we're choosing the best platform for the
user base.  for the many reasons previously addressed, Open is not the
best platform.