[ previous ] [ next ] [ threads ]
 
 From:  "Chris Dickens" <chris at object dash zone dot net>
 To:  "'Peter Curran'" <peter at closeconsultants dot com>
 Cc:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] any plans on switching to pf?
 Date:  Wed, 10 Nov 2004 08:12:49 -0500
Does this pf on OpenBSD support bouncing of packets from the internal
network on external IPs as I've been constantly flustered with m0n0wall's
inability to do?

From a 100 mile up perspective, how much trouble could it truly be to chop
down OpenBSD to the basics like Manuel has done and port the web interface
over to the OpenBSD platform then let everyone try and decide for themselves
which is better?  Isn't the source code available for porting?  I'm sure
minihttp and php and those things are also available on OpenBSD...

--Chris

-----Original Message-----
From: Peter Curran [mailto:peter at closeconsultants dot com] 
Sent: Wednesday, November 10, 2004 6:16 AM
To: Manuel Kasper
Cc: m0n0wall dash dev at lists dot m0n0 dot ch
Subject: Re: [m0n0wall-dev] any plans on switching to pf?


Manuel

> Well, I've got the impression that FreeBSD is less picky about 
> hardware (I've had machines that wouldn't boot an OpenBSD kernel 
> properly but didn't have any problems with FreeBSD), which seems to be 
> an important point with people running m0n0wall on all kinds of junk 
> PCs. My last performance benchmarks are already several months old, 
> but at least back then, FreeBSD was considerably faster (measured 
> network throughput). And I'm sorry, but reading some of the messages 
> from OpenBSD's founder didn't make me feel like switching. Then again, 
> the story involves the founder of ipfilter as well... Please tell me 
> never to touch a keyboard again if I ever end up like that.
>

Well there is no doubt that OpenBSD is slower than FreeBSD.  There was quite
a 
lot of discussion about this earlier in the year - it really is a security
v. 
performance compromise, although there have been some speedups inserted into

3.6.

I think it is important to differentiate between perfromance as a router, 
versus performance as a firewall.  I can't find the item in my archive, but 
the indications are that pf is a lot faster than ipf and that this probably 
makes up some of the lost ground.

I personally have not had a problem runing OpenBSD on old junk PC's, but I 
note from the release notes in both 3.5 and 3.6 that a lot more oddball 
chipsets are now supported than previously.

As for Theo - well I have to agree that the guy is a looney :-) It is
aggravating that this means slow progress in integrating some new 
features (VRRP, NAT-T, etc) until the OpenBSD team come up with their own 
unencumbered solution.  But, these features don't exist in FreeBSD anyway!

> > I have no experience at all of using pf on FreeBSD, so I do not know 
> > if the  same level of integration and functionality achieved on 
> > OpenBSD is available  under FreeBSD 5.3, but my experience of using 
> > it on OpenBSD leaves me in no  doubt at all of which firewall is the 
> > best (and it isn't ipf).
>
> Yeah, agreed, pf really makes a cleaner impression. However, I'm not 
> convinced the integration into FreeBSD is good enough yet. pf should 
> be run under OpenBSD, which it was designed for, but the concerns 
> listed above prevent switching m0n0wall to OpenBSD.
>

Points taken - for what its worth I think you are right and that the focus 
should be on FreeBSD 5.3 and ipf. Lets see how pfsense pans out before 
opening the can of worms that is pf on FreeBSD.

Peter

-- 
----------------------------------------------------------------------------
Peter Curran				  Leveraging Internet Technology
Close Consultants			       for Businesses
p: +44-1225-463700			 
f: +44-1225-463705			  
e: peter at closeconsultants dot com		  
sip: peter at closeconsultants dot com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch