OpenBSD or Linux Firewall?

[Jeffrey Pyne]

On January 17, 2002 J.Francois wrote:

> I feel like I stepped into a vi vs. emacs or csh vs. ksh thread :)

Didn't mean to start one of THOSE threads (although we all know that vi and
ksh are MUCH better than their counterparts).  :)

> It really isn't a question of which is better but which you know best.
> Your security will be at its peak if you fully understand what tool you 
> are using.

Exactly.  I am more familiar with OpenBSD firewalling at this moment.  But
if there is something about Linux about which I am unfamiliar which would
make it worth my while to investigate using it as a firewall, then maybe I
would consider making the switch.  I wasn't hoping for "Linux is 'better'
than OpenBSD," or vice versa.  I was just curious what people's opinions
were regarding the relative merits of each platform, and what people's
personal experiences had been.  And I was actually hoping that you,
specifically, would chime in since you are one of the few BSD heretics that
dares rear his/her head 'round these parts.  :)  

> if you are comfortable with ipfilter(now ipf), changing to ipchains will 
> mean learning a new syntax. I would do that on an internal system and
leave 
> the battle tested config running until I felt comfortable enuff to switch
it out.
> I stopped using Linux for firewalling because I got tired of each change 
> to the firwalling command and syntax and wanted something a little less
changeable.

Good points.  I guess what I'm trying to do is weigh is the advantage of
learning a new tool (which, to me, is a benefit in and of itself) against
the advantage of sticking with something that I know well enough that it
allows me to concentrate on other things (e.g. learning PHP, or trying to
decide between Bonds or Griffey for my fantasy baseball team).  

> I also found that the ipfilter syntax and features just plain rocked.

I could not agree more.
 
> I use OpenBSD 2.8 for my firewall and love it. I will be going 3.0 soon.

I think that's what I will probably end up doing.  After Cox seemed to have
finally yanked the plug on me for not using DHCP, I just ran 'dhclient ne0'
on my firewall last night, and *BAM*, I was back on the air.  For some
reason I never had much success using pump or dhcpcd to connect a Linux box
to Cox' network, and I was quite pleasantly surprised at how easy it was to
get DHCP working with OpenBSD.  Unless someone has a testimonial about why
Linux makes a killer firewall which is compelling enough to make me switch
(I am very intrigued by Tom Achtenberg's e-smith suggestion and will
probably play with that), I will probably upgrade to OpenBSD 3.0 in the next
couple weeks.

> I use started using FreeBSD more in the last year because ipfw can do
> Equal Cost Multipath Routing without fiddling with add on tools like
iproute
> and ipfw kicks ass for simulating WAN testing, dynamic rulesets, and other

> cool stuff.
> The VPN setup is a breeze with racoon or isakmpd, I can email you the file

> I have on connecting to Checkpoint, I think I still have it around
somewhere.

I would be VERY interested in that.  I will try to get that working myself,
but it's always nice to have a cheat-sheet against which to do sanity
checks.
 
> FWIW, keep OpenBSD and still train yourself on ipchains.
> Have a dual boot system so you can try out new rules on both and do a
> real comparison of which firewalling setup you are the most comfortble
with.
> 
> The BSD Heretic (JLF) Sends...
> 
> My.02

Good ideas, thanks for the input.

~Jeff