[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] RE: [m0n0wall] The future
 Date:  Thu, 13 Oct 2005 16:49:00 -0400
On 10/13/05, Peter Allgeyer <allgeyer at web dot de> wrote:
>
> No problem here. I do like it. Manuel, you forgot to say: May the
> flamewar begin ;-)

no kidding.  ;)


> Yes? My mind tells me, that if anybody writes such a secure software
> he'll also take a deep look into his OS code. The audit process of
> OpenBSD convinces me.
>

yes, it is well audited without a doubt, and sure, it's definitely
secure.  But we're not comparing it to something that's slopped
together half-cocked by developers who half don't know what they're
doing.  If we were comparing it to Linux, I'd give you that one.  ;) 
(calm down Linux fans, I'm at least half joking)  ;)

My point still stands - 2 years of m0n0wall and 0 security patches
required because of FreeBSD.  Open couldn't be any more secure.


>
> All that effort tells me, that it is more than "a little more difficult"
> to port the code.
>

not really.  The main problems thus far in 6 have been people
committing other things that would break CARP, or something like that.
 That's happened...I believe twice.

In 5.x, it was a completely different story.  It'd kernel panic that
it was going out of style.  pfsense started on 5.x, and moved to 6.x
and hasn't looked back


> I can't see the availibility of filtering interfaces (if we don't want
> to go with the gif interface). Also it isn't *yet* in FreeBSD.

it's all fine with FreeBSD except the NAT-T support.  The ipsec-tools
project has a patch.
http://groups.google.com/group/mailing.freebsd.net/browse_thread/thread/2672a5276b82bc14/7ceb9e5414b17e4%237ceb9e5414b17e4?sa=X&oi=groupsr&start=1&num=3

I don't see that small change being a big deal.  Even with 4.x, we
have a number of patches specific to m0n0wall.


> > > * better bridging code: STP support and able to be filtered by pf
> >
> > so does FreeBSD 6.0.
>
> Another backport, see above.
>

so is FreeBSD's current dhclient, they all work just as well as they
do on Open.  Just more examples of how when things are better in Open,
they make their way into Free.


>
> So why not using FreeBSD6 for pfsense and building m0n0wall around
> OpenBSD? Has it all to be the same?
>

no, but we need to make sure we're choosing the best platform for the
user base.  for the many reasons previously addressed, Open is not the
best platform.

-Chris