> About the operating system - seems like opinions diverge largely on
> this topic. Some think OpenBSD is the way to go, others claim that
> FreeBSD 6 would be a better choice (hardware/wireless support,
> performance), there are some DragonFly advocates, some think highly
> of netfilter/iptables and others consider it crap compared to pf.
> This is going to be a difficult question, and I'd appreciate if
> someone (Chris? ;) could put together some kind of feature matrix so
> that all the advantages and disadvantages are clear and can be
> weighed up.
Quick comment: I vote for NetBSD
I first give a little background:
I have a job in a small company that sells firewalls based on NetBSD. We
also offer consulting, 3rd party products for internet security, etc.
But everything is build around the firewalls.
We are working together with a small development team that builds the
firewall images and we do the management and documentation. This is
going on for 4 years now and we never had problems with NetBSD.
The design of our firewall is similar to m0n0wall. We sell it on
i386 hardware (nexcom)
32/64MB compact flash (firmware is 7MB zipped)
-improved isakampd (x-auth, radius support for x-auth, dpd, nat-t,
sha-1/aes for phase1, ike-mode-cfg, udp-encap, dns-support)
-ipfilter with in/out filtering in GUI (to filter IPSec traffic going
out of an interface, very important feature that m0n0wall lacks)
-HighAvailability (no CARP) with virtual MACs, automatic configuration
update in cluster and IPSec SA update
-firmware file 7MB, runs in memory
-failsave kernel (called bootloader) that is able to to a firmware
update if anything goes wrong
-cisco like shell (parser) for debugging/basic configuration
-central daemon (written in C) that configures the various config files,
forks other daemons
-watchdog daemon that looks after all other daemons
-DSL (kernel support)
Unfortunately we currently lack traffic shaping, but its on the roadmap.
Why I vote for NetBSD?
We have switched to NetBSD 2.0 this year, but if I now had the choice I
would go for 3.0. The m0n0wall team now has the choice.
I think NetBSD unites the best features of OpenBSD/FreeBSD and still
-nearly as fast as FreeBSD 4.11
-pf and ipf support
-some wireless support (including Atheros)
-huge platform support that would give m0n0wall the possibility to run
on many more embedded, reliable hardware
-the knowledge that the good stuff from FreeBSD and OpenBSD will be
ported to NetBSD