Re: [m0n0wall-dev] any plans on switching to pf?

From:	Peter Curran <peter at closeconsultants dot com>
To:	Manuel Kasper <mk at neon1 dot net>
Cc:	m0n0wall dash dev at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall-dev] any plans on switching to pf?
Date:	Wed, 10 Nov 2004 11:16:05 +0000
Manuel

> Well, I've got the impression that FreeBSD is less picky about
> hardware (I've had machines that wouldn't boot an OpenBSD kernel
> properly but didn't have any problems with FreeBSD), which seems to
> be an important point with people running m0n0wall on all kinds of
> junk PCs. My last performance benchmarks are already several months
> old, but at least back then, FreeBSD was considerably faster
> (measured network throughput). And I'm sorry, but reading some of the
> messages from OpenBSD's founder didn't make me feel like switching.
> Then again, the story involves the founder of ipfilter as well...
> Please tell me never to touch a keyboard again if I ever end up like
> that.
>

Well there is no doubt that OpenBSD is slower than FreeBSD.  There was quite a 
lot of discussion about this earlier in the year - it really is a security v. 
performance compromise, although there have been some speedups inserted into 
3.6.

I think it is important to differentiate between perfromance as a router, 
versus performance as a firewall.  I can't find the item in my archive, but 
the indications are that pf is a lot faster than ipf and that this probably 
makes up some of the lost ground.

I personally have not had a problem runing OpenBSD on old junk PC's, but I 
note from the release notes in both 3.5 and 3.6 that a lot more oddball 
chipsets are now supported than previously.

As for Theo - well I have to agree that the guy is a looney :-)
It is aggravating that this means slow progress in integrating some new 
features (VRRP, NAT-T, etc) until the OpenBSD team come up with their own 
unencumbered solution.  But, these features don't exist in FreeBSD anyway!

> > I have no experience at all of using pf on FreeBSD, so I do not
> > know if the  same level of integration and functionality achieved
> > on OpenBSD is available  under FreeBSD 5.3, but my experience of
> > using it on OpenBSD leaves me in no  doubt at all of which firewall
> > is the best (and it isn't ipf).
>
> Yeah, agreed, pf really makes a cleaner impression. However, I'm not
> convinced the integration into FreeBSD is good enough yet. pf should
> be run under OpenBSD, which it was designed for, but the concerns
> listed above prevent switching m0n0wall to OpenBSD.
>

Points taken - for what its worth I think you are right and that the focus 
should be on FreeBSD 5.3 and ipf. Lets see how pfsense pans out before 
opening the can of worms that is pf on FreeBSD.

Peter

-- 
----------------------------------------------------------------------------
Peter Curran				  Leveraging Internet Technology
Close Consultants			       for Businesses
p: +44-1225-463700			 
f: +44-1225-463705			  
e: peter at closeconsultants dot com		  
sip: peter at closeconsultants dot com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.