Comments on: Firewall update - OpenBSD wins

By: Marcus Aurelius

Marcus Aurelius — Wed, 07 Nov 2007 20:40:41 +0000

Anything further on building a gigabit firewall box with Linux or *BSD software? Anyone have a link to a detailed how to article on this? I’m experimenting but I’d rather not reinvent the wheel… Building one of the first community owned and operated very high speed fibre optic networks in Canada… Very sweet stuff, needs an inexpensive firewall solution! Help much appreciated, tx MA

By: Florin Andrei

Florin Andrei — Mon, 08 Oct 2007 18:19:58 +0000

I can’t get OpenBSD 4.1 to route 1 gigabit of traffic with pf enabled. Mostly default settings. Linux can route 1 gig no problem, OpenBSD fails badly. More details here:

http://marc.info/?t=119154934300001&r=1&w=2

By: Thijs

Thijs — Mon, 04 Jun 2007 10:34:37 +0000

Nice story. I’ve been running OpenBSD for firewalls since version 2.9 or so. I also swapped my PIXes for older compaq small form factor PC’s running OpenBSD. For reliability, I swapped the harddisks for a compact flash IDE adapter and 1GB CF cards. My complete install including the fabulous OpenVPN are on this card and OpenBSD is running fine on it. Now only the power supply can still break. And that didn’t happen yet.

Great choice!

By: pmk

pmk — Wed, 09 May 2007 01:52:21 +0000

Hey there:

Any benchmarks/hardware specs on the near-gigabit OpenBSD deployment? Given the ridiculous prices on truly gigabit-capable firewall gear and the terrible performance of iptables/netfilter at high PPS rates, rolling our own from OpenBSD or FreeBSD is attractive.

By: Dez Blanchfield

Dez Blanchfield — Mon, 26 Feb 2007 11:02:52 +0000

Seriously,

I’ve got to state for the record that there is a best of both worlds option here.

m0n0wall has to be one of the best firewall platforms I’ve seen for a long long time, and I’ve tried them all, and I’ve developed a few myself.

pfSense has built on top of what m0n0wall gives us, but after running pfSense for a while I’m planning a return to m0n0wall soon.

With it’s FreeBSD 6.x base, the safe secure and simple web based interface, and surprisingly quick performance, it’s a firewall I’d recomend not just for use at home, but for small to medium sized firms, and even service providers.

Running it [m0n0wall] from a live cd, and using a USB stick or floppy to save the configs on, is just too darn easy, and all you need is a stack of old PC’s laying around to run one up, or replace a system if it fails.

I’m a huge fan of the entire world of magic that is OpenBSD, but when it comes to time and simplicity, m0n0wall has to take the cake.

note: make sure you check out it’s sister project FreeNAS for Network Attached Storage if you’ve got time too.

Cheers,

Dez

—
Dez Blanchfield
http://TheStorageForum.COM

By: mark

mark — Wed, 24 Jan 2007 05:50:23 +0000

Hi Tom. Yeah, I like the Soekris too, it’s a better product than the WRAP, but they do demand a hefty price premium…

You’re right that FreeBSD will almost certainly be faster. Better network drivers (em in particular, with polling support), and fastforwarding rocks. See Mike Tancsa’s testing for confirmation of that (although Linux is still faster, IIRC). But if the OpenBSD implementation provides enough throughput (it did at home, obviously, and for the recent client install) I’d still stick with it instead of FreeBSD for pure firewall duty. I just trust the OpenBSD guys to have “done the right thing” security-wise, and in a firewall, that’s important to me.

By: Tom

Tom — Wed, 24 Jan 2007 00:00:42 +0000

Soekris also makes nice systems (www.soekris.com). And you can get them with small cases.

But since pf is supported on FreeBSD, and FreeBSD probably has fresher drivers from intel hardware (6.2-RELEASE has a new em driver direct from Intel). Plus, does OpenBSD have an equivelent of net.inet.ip.fastforwarding? On a dedicated firewall/router FreeBSD box, it makes a big difference, as it is handles the entire packet in one interrupt.

By: Ian

Ian — Wed, 10 Jan 2007 15:56:39 +0000

When I say a preinstalled box, basically they put together the board, a case, a power supply, and a CF card with m0n0wall preinstalled. Only cost a tiny bit more than buying all the bits individually.

By: Ian

Ian — Wed, 10 Jan 2007 15:55:22 +0000

I bought a WRAP quite recently. I didn’t really have the time to go fiddling round installing m0n0wall on it (though I did install Smoothwall myself on a previous old PC I used as a router) so I went for a preinstalled box. Literally all you need to do is plug the LAN in one socket and the WAN in the other and you are go.

By: mark

mark — Tue, 19 Dec 2006 02:03:49 +0000

Marco: yeah, the WRAP boards are nice cause they’re small and silent. There’s more work to get it going compared to just picking up a WRT54GL and flashing it with dd-wrt, but if you’re like me, that’s part of the fun.

By: Saint Aardvark

Saint Aardvark — Fri, 15 Dec 2006 00:12:23 +0000

Another vote for “easy to read”. I’ve used iptables and ipfw, and pf just blows them both away. Things *make sense* in pf.

For the record, OpenBSD also works well in laptops, too; I installed it for a lark on mine (Toshiba A2) and it’s worked very, very well.

By: Greg

Greg — Thu, 14 Dec 2006 10:26:13 +0000

Having deployed pf @ a number of sites, the hosting platform is key.

For high packet rate traffic, I have found that PF on FreeBSD with em nics, polling enabled will perform a mite better.

If the system is going to be used for anything other than basic packet filtering, I have found Free to be a lot less hassle to maintain/update than Open TBH.

Performance wise, A DL-385 with 2.4 gig opteron & 6 * em running PF on FreeBSD filters 1.5-2 gigbits/sec without sweating.

Greg

By: Marco

Marco — Thu, 14 Dec 2006 10:14:07 +0000

Mark,

I am currently considering building a home network… Didn’t really need one up to now.

Would you recommend buying such a WRAP board, and using it with OpenBSD as a firewall/router? I don’t have any spare computers, and I would like it to be small.

By: mark

mark — Thu, 14 Dec 2006 00:42:45 +0000

I did bump into the state limit during testing. Good tip for anybody reading this, though. Merci!

By: Kint

Kint — Thu, 14 Dec 2006 00:34:30 +0000

Mark, if you’re going to be running serious bandwidth down those OpenBSD boxes, don’t forget to crank up the default state limit!

Have fun!

By: Matty

Matty — Wed, 13 Dec 2006 23:49:54 +0000

I also use pf and altq, and dig the fact that the OpenBSD ports collection has numerous tools for monitoring pf firewalls. If you haven’t used pfstat, pftop, ifstat and company, you should check them out.

- Ryan

By: mark

mark — Wed, 13 Dec 2006 23:38:46 +0000

Thx Kint. I actually used OpenBSD for some firewalling duty back in the 2.3/2.4 era when ipfilter and SSH1 were still king. I was mostly using FreeBSD and Solaris at the time, and respected a lot of the innovative security work being done in OpenBSD. I liked ipfilter enough that after I used it in OpenBSD I opted to use ipfilter in FreeBSD and Solaris too, and did for many years. But for whatever reasons I just haven’t touched OpenBSD since. I think I did a 2.6 install at some point, but IIRC I hit some hardware issue and went to FreeBSD instead.

The CARP pfsync combo is pretty kick ass, eh? I was blown away that it worked perfectly right out of the box.

The pair of boxes that will be replacing the PIX515s are running CARP/pfsync. We went with the fastest single-core Opteron processor we could buy, which seems to be enough to saturate a gigabit pipe with relative ease. OpenBSD’s ability (or lack thereof) to take advantage of multiple CPU cores might limit it in some deployments… but for most shops pf’s performance is good enough to move a lot of traffic on a single, modern CPU core.

The raw “BSDness” of the OpenBSD install and config procedure was like a pleasant stroll down memory lane. I’m guessing it would be appear shockingly primitive for modern Linux admins, in the complete opposite way that the Solaris installer I ranted about would seem bizarre.

By: Kint

Kint — Wed, 13 Dec 2006 22:46:24 +0000

Glad you’ve decided to try OpenBSD. Been running it myself for various tasks since 2.6. It really IS a charm to work with, and the man pages can’t be beaten.

Another great thing that PF does as good as / better than Cisco is failover, with CARP and pfsync. Check it out!

Great blog, by the way. I found it through your “Top 10 Solaris Installation Annoyances” post, which made me piss my pants in laughter, I should add.