[ previous ] [ next ] [ threads ]
 
 From:  Jeb Campbell <jebc at c4solutions dot net>
 To:  Justin Ellison <justin at techadvise dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  The Future -- was (Re: m0n0wall + openbsd)
 Date:  Fri, 14 Oct 2005 11:15:12 -0500
Justin Ellison wrote:
> Are you still a member of the m0n0wall lists?  With all the discussions
> on the future of m0n0wall, and many people asking for a switch to
> OpenBSD, I've been looking for some input from you.  Have you completed
> your port?  I know you switched to pfSense, but I can't remember why.
> 
> If you're not part of the lists, and don't care to re-subscribe, is it
> OK if I post your responses to the dev list?

Part of the list, but can't keep up (busy at work and other things). 
And I hope to get some time this weekend to test and mod m0n0wall 1.2 
this weekend ;) .

Background -- I wanted to port m0n0wall to OpenBSD for a couple of 
reasons.  Most important were ipsec compression and dynamic ipsec endpoints.

I actually had OpenBSD and pfSense booting and pf coming up.  I started 
with m0n0wall, but pfSense was easier with the firewall already 
generating pf rulesets.  And it was dang small -- not as fast as 
m0n0wall (fbsd4+ipf), but fine for me on a wrap (didn't test net45xx). 
I think I had openbsd's idle loop bugfix in, but I can't recall.

While things like the ipsec and interface configuration could be 
recoded, I found some major "gotchas".  Mainly that Netgraph and mpd are 
*very* hard to replace.  They combine the flexibility of userspace 
negotiation with the speed of kernel mode for pppoe and pptp connections 
-- and you need that speed for for the low end devices that connect 
through pppoe or have pptp clients.

Therefore I would investigate NetBSD.  It is small and has low end 
hardware in mind.  It also has Netgraph (but don't quote me on that) and 
a pretty nice ipsec stack (same tools as freebsd 6).  If it has pf 
(probably), the pfsense code would make a nice starting point for the 
firewall code.  The rest would be details . . .

While OpenBSD has great security and has the nicest pf, without netgraph 
and mpd it is not the best fit for m0n0wall (IMHO).  Now if someone 
wanted to port netgraph to open, that would the best (IHMO) -- I'd even 
donate money to get it done and I'm sure others would.

Just my limited view of some os options.  Please email me direct if you 
have other questions about the port -- I'll try to check the list, but...

Best of luck,
Jeb
-- 
Jeb Campbell
jebc at c4solutions dot net