[MLUG] [ot] Looking for high performance open source firewall

Jean-Francois Theroux jf at theroux.ca
Wed Dec 17 11:15:31 EST 2008 

One thing I don't like about OpenBSD's default installation: it comes with
Apache, FTPD, Bind, etc.

Maybe for the purpose of a firewall/router, NetBSD would be better suited.
The minimal install is roughly 20MB (or was last I installed it). Then you
can add CARP + PF.

Just a thought.

On Wed, Dec 17, 2008 at 11:04 AM, The Anarcat <anarcat at anarcat.ath.cx>wrote:

> On Wed, Dec 17, 2008 at 10:52:13AM -0500, David Filion wrote:
> > Both m0n0wall and pfSense (both BSD based) support a bridged mode which
> > is what I'm looking for.   I just prefer doing setups like this by hand
> > so I get a better understanding of what is happening under the hood.
> > Especially handy when the s**t hits the fan and you need to make
> > adjustments fast.  But sometimes getting things up and running fast is
> > more important.
>
> That's especially difficult with monowall, as, last time I heard, it
> wasn't providing even a shell into the system. You basically need to
> trust it to do the right thing from your clickety configuration, which i
> find generally annoying.
>
> Pfsense provides a shell if you activate it through the clikety
> interface, but then you have very limited resources: no man pages, no
> tcpdump (iirc), it feels very dark and lonely in there.
>
> For those reasons, we've setup a OpenBSD firewall. I'm still uncertain
> about our choice because we've been using FreeBSD for a general purpose
> server before and now we've added another OS to our ever growing list of
> systems, which is not good, but then again, the idea is to go to the
> simpler tool, which supports all the goods (pf, CARP and others) out of
> the box.
>
> Besides, we don't need all the bells and whistles and shiny packages
> that FreeBSD provides. We just need to export data with netflow and SNMP
> and then more general-purpose machines can handle data processing.
>
> In fact, we're basically building a process where we can take a Soekris
> box, install a basic OpenBSD image on it + Puppet and have new router
> nodes automatically configured. So less is best here.
>
> A.
>
> --
> If builders built houses the way programmers built programs,
> The first woodpecker to come along would destroy civilization.
>                        - Gerald Weinberg
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAklJIyUACgkQWGBzs0AjcC+VJgCfQYjyAXG1j7qxzzYxmXERysJf
> nIkAn0ooh+zGSwFvL/n0JoBjSCEvf3Gt
> =30nG
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> mlug mailing list
> mlug at listserv.mlug.ca
> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>
>


-- 
Jean-François Théroux
Linux/network security consultant
http://www.theroux.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/mlug-listserv.mlug.ca/attachments/20081217/c9f10934/attachment.htm

More information about the mlug mailing list