Firewall update - OpenBSD wins

Short story: If you need a dedicated UNIXy firewall, you really can’t do any better than this:

# uname -sr
OpenBSD 4.0

Long story: I’ve been playing around with a WRAP board as my home firewall for a while now. (WRAP is basically a ready to go x86-ish PC-ish computer on a board). It’s a lot more fun than running dd-wrt on a Linksys WRT54GL, if only because I got to try manually bootstrapping a couple BSD and Linux kernels. And hey, it’s cool to setup a bare embedded board on the workbench, dangle cables off it, and build a custom case to stick it in. It’s a lot more functional, too, since you’ve got quite a bit more “oomph” in terms of CPU and memory than the WRT54G. At some point I put m0n0wall (a free embedded firewall software package based on FreeBSD) on it and it’s been doing firewall duty on my desk ever since. Well, until a couple weeks ago, when I did some wiring in the house and built a cage up in the corner of the garage to hold all the networking equipment.. and I dropped my WRAP box 8 feet onto the concrete floor. Apparently my custom WRAP case wasn’t as strong as I had hoped… Ooops.

Since I didn’t care about noise out in the garage, I just grabbed my (now retired) Soltek Qbic SFF to use until I could replace the WRAP. “I’ll just pop Linux on there and use iptables” I thought. And then I remembered how much I’d come to hate iptables last month…

What happened was I had to select a new firewall platform for a client that was replacing some aging PIX 515’s. They wanted near gigabit performance, and had some pretty grand desires in terms of QoS on top of the normal requirements of stateful packet filtering. Before they handed over money to Cisco for the latest generation of PIX, they wanted to take a look at possible alternatives. They had three primary complaints with the PIX:

The PIX CLI is functional, but the IOS-like interface makes annotating the live config nearly impossible.
The PIX’s stateful inspection ain’t that hot (lots of “bad shit” making it through the PIX) and they had to turn off nearly all of the fancier “fixup” features or performance went to hell.
Complete lack of QoS on the PIX wasn’t a show stopper, but they definitely wished they could do the QoS stuff on the same box as the packet filtering.

I prepared a short list and we tested a bunch of setups, including commercial solutions like Checkpoint and free solutions like Linux iptables, FreeBSD/OpenBSD’s “pf“, and ipfilter on Solaris. In the end OpenBSD and it’s home-grown “pf” emerged victorious. There were a few key reasons why OpenBSD was the best fit, even though the client is a Linux/Windows shop:

OpenBSD’s pf uses an ipfilter-inspired configuration syntax that’s really intuitive, easy to read, and easy to annotate. This was a really, really big deal.
OpenBSD’s default install is rediculously barebones. Referencing just a couple notes from me, the client was able to do an OpenBSD install from disc and have a secure, functioning firewall in about 30 minutes.
Performance, even with QoS features enabled, stayed strong throughout the testing.
A mostly-default config, with pf’s “scrub” enabled, withstood the wide variety of DoS attacks we threw at it better than any of the other systems.

Overall, it really came down to the fact that OpenBSD did the right thing by default. Which is a huge factor in reducing complexity and errors, and increasing operator confidence. Sure, we could have built a stripped down Jumpstart for Solaris, but we didn’t have to change a thing in OpenBSD. Sure, we did get iptables doing nearly everything that pf was doing, but it took, literally, a dozen hours of trial-and-error testing, and several hundred more lines of difficult to grok config statements. Our OpenBSD pf config stayed small and to the point. Checkpoint did fairly well, but was overaly complex and quite non-intuitive. The Checkpoint simply cost too much in terms of capital outlay and in the time required for the team to learn it. In the end, although they had no experience with a BSD, they felt good about the OpenBSD/pf setup, and everyone agreed that it was worth putting a box into production to see how well it held up in the real world. We did that a month ago, and they’re now preparing to bring two more OpenBSD boxes online to replace the PIXes. Happy.

Which brings me, rather verbosely, to my home firewall. What do I run on it? I realized that the same logic that put OpenBSD on top of nearly every evaluation category for the web hosting client also made sense for home. So, unsurpisingly, I’m running OpenBSD 4.0, and I think I’ll keep it that way. I cancelled my WRAP order for now. We’ll see how well the little Qbic holds up in the garage.

About this entry

You’re currently reading “Firewall update - OpenBSD wins,” an entry on VMUNIX Blues

Published:: 12.13.06 / 12pm

Category:: sysadmin, linux, openbsd

About

VMUNIX Blues is written by me, Mark Mayo, in Vancouver, BC. I like unix, coding, and the web, and naturally most articles I write here have something to do with what I like. If commenting on an article isn’t your style, you can always email me — mark (at) vmunix.com.

Recent Comments

Vic: I'm using ESX3 for the very first time. I have 6 nics on a SUN blade and have decied to 3 teams of 2 NICS. I...

darkfader: Hi, synchronous NFS often seems faster even than iSCSI that might take like a minute to get all your data...

Paul Fox: http : / / w w w crispdemoncouk click on the tools page to find the source to dtrace. no guarantees it...

mark: Joe: Gigabit. SHEP: I've been gloriously VDI ignorant, and plan to stay that way. Desktops == pain. No thanks....

mark: Great to see someone forging ahead regardless of license issues, Paul. Good luck with the port! I'd certainly...

Kint 12.13.06 / 2pm

Glad you’ve decided to try OpenBSD. Been running it myself for various tasks since 2.6. It really IS a charm to work with, and the man pages can’t be beaten.

Another great thing that PF does as good as / better than Cisco is failover, with CARP and pfsync. Check it out!

Great blog, by the way. I found it through your “Top 10 Solaris Installation Annoyances” post, which made me piss my pants in laughter, I should add.

mark 12.13.06 / 3pm

Thx Kint. I actually used OpenBSD for some firewalling duty back in the 2.3/2.4 era when ipfilter and SSH1 were still king. I was mostly using FreeBSD and Solaris at the time, and respected a lot of the innovative security work being done in OpenBSD. I liked ipfilter enough that after I used it in OpenBSD I opted to use ipfilter in FreeBSD and Solaris too, and did for many years. But for whatever reasons I just haven’t touched OpenBSD since. I think I did a 2.6 install at some point, but IIRC I hit some hardware issue and went to FreeBSD instead.

The CARP pfsync combo is pretty kick ass, eh? I was blown away that it worked perfectly right out of the box.

The pair of boxes that will be replacing the PIX515s are running CARP/pfsync. We went with the fastest single-core Opteron processor we could buy, which seems to be enough to saturate a gigabit pipe with relative ease. OpenBSD’s ability (or lack thereof) to take advantage of multiple CPU cores might limit it in some deployments… but for most shops pf’s performance is good enough to move a lot of traffic on a single, modern CPU core.

The raw “BSDness” of the OpenBSD install and config procedure was like a pleasant stroll down memory lane. I’m guessing it would be appear shockingly primitive for modern Linux admins, in the complete opposite way that the Solaris installer I ranted about would seem bizarre.

Matty 12.13.06 / 3pm

I also use pf and altq, and dig the fact that the OpenBSD ports collection has numerous tools for monitoring pf firewalls. If you haven’t used pfstat, pftop, ifstat and company, you should check them out.

- Ryan

Kint 12.13.06 / 4pm

Mark, if you’re going to be running serious bandwidth down those OpenBSD boxes, don’t forget to crank up the default state limit!

Have fun!

mark 12.13.06 / 4pm

I did bump into the state limit during testing. Good tip for anybody reading this, though. Merci!

Marco 12.14.06 / 2am

Mark,

I am currently considering building a home network… Didn’t really need one up to now.

Would you recommend buying such a WRAP board, and using it with OpenBSD as a firewall/router? I don’t have any spare computers, and I would like it to be small.

Greg 12.14.06 / 2am

Having deployed pf @ a number of sites, the hosting platform is key.

For high packet rate traffic, I have found that PF on FreeBSD with em nics, polling enabled will perform a mite better.

If the system is going to be used for anything other than basic packet filtering, I have found Free to be a lot less hassle to maintain/update than Open TBH.

Performance wise, A DL-385 with 2.4 gig opteron & 6 * em running PF on FreeBSD filters 1.5-2 gigbits/sec without sweating.

Greg

Saint Aardvark 12.14.06 / 4pm

Another vote for “easy to read”. I’ve used iptables and ipfw, and pf just blows them both away. Things *make sense* in pf.

For the record, OpenBSD also works well in laptops, too; I installed it for a lark on mine (Toshiba A2) and it’s worked very, very well.

mark 12.18.06 / 6pm

Marco: yeah, the WRAP boards are nice cause they’re small and silent. There’s more work to get it going compared to just picking up a WRT54GL and flashing it with dd-wrt, but if you’re like me, that’s part of the fun.

Ian 01.10.07 / 7am

I bought a WRAP quite recently. I didn’t really have the time to go fiddling round installing m0n0wall on it (though I did install Smoothwall myself on a previous old PC I used as a router) so I went for a preinstalled box. Literally all you need to do is plug the LAN in one socket and the WAN in the other and you are go.

When I say a preinstalled box, basically they put together the board, a case, a power supply, and a CF card with m0n0wall preinstalled. Only cost a tiny bit more than buying all the bits individually.

Tom 01.23.07 / 4pm

Soekris also makes nice systems (www.soekris.com). And you can get them with small cases.

But since pf is supported on FreeBSD, and FreeBSD probably has fresher drivers from intel hardware (6.2-RELEASE has a new em driver direct from Intel). Plus, does OpenBSD have an equivelent of net.inet.ip.fastforwarding? On a dedicated firewall/router FreeBSD box, it makes a big difference, as it is handles the entire packet in one interrupt.

mark 01.23.07 / 9pm

Hi Tom. Yeah, I like the Soekris too, it’s a better product than the WRAP, but they do demand a hefty price premium…

You’re right that FreeBSD will almost certainly be faster. Better network drivers (em in particular, with polling support), and fastforwarding rocks. See Mike Tancsa’s testing for confirmation of that (although Linux is still faster, IIRC). But if the OpenBSD implementation provides enough throughput (it did at home, obviously, and for the recent client install) I’d still stick with it instead of FreeBSD for pure firewall duty. I just trust the OpenBSD guys to have “done the right thing” security-wise, and in a firewall, that’s important to me.

Dez Blanchfield 02.26.07 / 3am

Seriously,

I’ve got to state for the record that there is a best of both worlds option here.

m0n0wall has to be one of the best firewall platforms I’ve seen for a long long time, and I’ve tried them all, and I’ve developed a few myself.

pfSense has built on top of what m0n0wall gives us, but after running pfSense for a while I’m planning a return to m0n0wall soon.

With it’s FreeBSD 6.x base, the safe secure and simple web based interface, and surprisingly quick performance, it’s a firewall I’d recomend not just for use at home, but for small to medium sized firms, and even service providers.

Running it [m0n0wall] from a live cd, and using a USB stick or floppy to save the configs on, is just too darn easy, and all you need is a stack of old PC’s laying around to run one up, or replace a system if it fails.

I’m a huge fan of the entire world of magic that is OpenBSD, but when it comes to time and simplicity, m0n0wall has to take the cake.

note: make sure you check out it’s sister project FreeNAS for Network Attached Storage if you’ve got time too.

Cheers,

Dez

—
Dez Blanchfield
http://TheStorageForum.COM

pmk 05.08.07 / 5pm

Hey there:

Any benchmarks/hardware specs on the near-gigabit OpenBSD deployment? Given the ridiculous prices on truly gigabit-capable firewall gear and the terrible performance of iptables/netfilter at high PPS rates, rolling our own from OpenBSD or FreeBSD is attractive.

Thijs 06.04.07 / 2am

Nice story. I’ve been running OpenBSD for firewalls since version 2.9 or so. I also swapped my PIXes for older compaq small form factor PC’s running OpenBSD. For reliability, I swapped the harddisks for a compact flash IDE adapter and 1GB CF cards. My complete install including the fabulous OpenVPN are on this card and OpenBSD is running fine on it. Now only the power supply can still break. And that didn’t happen yet.

Great choice!

Florin Andrei 10.08.07 / 10am

I can’t get OpenBSD 4.1 to route 1 gigabit of traffic with pf enabled. Mostly default settings. Linux can route 1 gig no problem, OpenBSD fails badly. More details here:

http://marc.info/?t=119154934300001&r=1&w=2

Marcus Aurelius 11.07.07 / 12pm

Anything further on building a gigabit firewall box with Linux or *BSD software? Anyone have a link to a detailed how to article on this? I’m experimenting but I’d rather not reinvent the wheel… Building one of the first community owned and operated very high speed fibre optic networks in Canada… Very sweet stuff, needs an inexpensive firewall solution! Help much appreciated, tx MA

VMUNIX Blues

Firewall update - OpenBSD wins

About this entry

18 Comments

Have your say

About

Recent Articles

Recent Comments

Flickr Photos

Monthly Archives