[ previous ] [ next ] [ threads ]
 From:  "Bjoern Euler (Lists at edain)" <lists at edain dot de>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] The future - summary
 Date:  Fri, 14 Oct 2005 00:23:46 +0200
> About the operating system - seems like opinions diverge largely on
> this topic. Some think OpenBSD is the way to go, others claim that
> FreeBSD 6 would be a better choice (hardware/wireless support,
> performance), there are some DragonFly advocates, some think highly
> of netfilter/iptables and others consider it crap compared to pf.
> This is going to be a difficult question, and I'd appreciate if
> someone (Chris? ;) could put together some kind of feature matrix so
> that all the advantages and disadvantages are clear and can be
> weighed up. 

Quick comment: I vote for NetBSD

Long comment:
I first give a little background:
I have a job in a small company that sells firewalls based on NetBSD. We 
also offer consulting, 3rd party products for internet security, etc. 
But everything is build around the firewalls.
We are working together with a small development team that builds the 
firewall images and we do the management and documentation. This is 
going on for 4 years now and we never had problems with NetBSD.

The design of our firewall is similar to m0n0wall. We sell it on

i386 hardware (nexcom)
256MB Ram
32/64MB compact flash (firmware is 7MB zipped)
 >3 NICs

Features include:
-improved isakampd (x-auth, radius support for x-auth, dpd, nat-t, 
sha-1/aes for phase1, ike-mode-cfg, udp-encap, dns-support)
-ipfilter with in/out filtering in GUI (to filter IPSec traffic going 
out of an interface, very important feature that m0n0wall lacks)
-HighAvailability (no CARP) with virtual MACs, automatic configuration 
update in cluster and IPSec SA update
-firmware file 7MB, runs in memory
-failsave kernel (called bootloader) that is able to to a firmware 
update if anything goes wrong
-SSH support
-cisco like shell (parser) for debugging/basic configuration
-central daemon (written in C) that configures the various config files, 
forks other daemons
-watchdog daemon that looks after all other daemons
-DSL (kernel support)

Unfortunately we currently lack traffic shaping, but its on the roadmap.

Why I vote for NetBSD?
We have switched to NetBSD 2.0 this year, but if I now had the choice I 
would go for 3.0. The m0n0wall team now has the choice.
I think NetBSD unites the best features of OpenBSD/FreeBSD and still 
some more:
-nearly as fast as FreeBSD 4.11
-pf and ipf support
-some wireless support (including Atheros)
-huge platform support that would give m0n0wall the possibility to run 
on many more embedded, reliable hardware
-the knowledge that the good stuff from FreeBSD and OpenBSD will be 
ported to NetBSD