Justin Ellison wrote:
> Are you still a member of the m0n0wall lists? With all the discussions
> on the future of m0n0wall, and many people asking for a switch to
> OpenBSD, I've been looking for some input from you. Have you completed
> your port? I know you switched to pfSense, but I can't remember why.
> If you're not part of the lists, and don't care to re-subscribe, is it
> OK if I post your responses to the dev list?
Part of the list, but can't keep up (busy at work and other things).
And I hope to get some time this weekend to test and mod m0n0wall 1.2
this weekend ;) .
Background -- I wanted to port m0n0wall to OpenBSD for a couple of
reasons. Most important were ipsec compression and dynamic ipsec endpoints.
I actually had OpenBSD and pfSense booting and pf coming up. I started
with m0n0wall, but pfSense was easier with the firewall already
generating pf rulesets. And it was dang small -- not as fast as
m0n0wall (fbsd4+ipf), but fine for me on a wrap (didn't test net45xx).
I think I had openbsd's idle loop bugfix in, but I can't recall.
While things like the ipsec and interface configuration could be
recoded, I found some major "gotchas". Mainly that Netgraph and mpd are
*very* hard to replace. They combine the flexibility of userspace
negotiation with the speed of kernel mode for pppoe and pptp connections
-- and you need that speed for for the low end devices that connect
through pppoe or have pptp clients.
Therefore I would investigate NetBSD. It is small and has low end
hardware in mind. It also has Netgraph (but don't quote me on that) and
a pretty nice ipsec stack (same tools as freebsd 6). If it has pf
(probably), the pfsense code would make a nice starting point for the
firewall code. The rest would be details . . .
While OpenBSD has great security and has the nicest pf, without netgraph
and mpd it is not the best fit for m0n0wall (IMHO). Now if someone
wanted to port netgraph to open, that would the best (IHMO) -- I'd even
donate money to get it done and I'm sure others would.
Just my limited view of some os options. Please email me direct if you
have other questions about the port -- I'll try to check the list, but...
Best of luck,
jebc at c4solutions dot net