[MLUG] [ot] Looking for high performance open source firewall
David Filion
david at filiontech.com
Wed Dec 17 11:16:12 EST 2008
The Anarcat wrote:
> On Wed, Dec 17, 2008 at 10:52:13AM -0500, David Filion wrote:
>
>> Both m0n0wall and pfSense (both BSD based) support a bridged mode which
>> is what I'm looking for. I just prefer doing setups like this by hand
>> so I get a better understanding of what is happening under the hood.
>> Especially handy when the s**t hits the fan and you need to make
>> adjustments fast. But sometimes getting things up and running fast is
>> more important.
>>
>
> That's especially difficult with monowall, as, last time I heard, it
> wasn't providing even a shell into the system. You basically need to
> trust it to do the right thing from your clickety configuration, which i
> find generally annoying.
>
> Pfsense provides a shell if you activate it through the clikety
> interface, but then you have very limited resources: no man pages, no
> tcpdump (iirc), it feels very dark and lonely in there.
>
> For those reasons, we've setup a OpenBSD firewall. I'm still uncertain
> about our choice because we've been using FreeBSD for a general purpose
> server before and now we've added another OS to our ever growing list of
> systems, which is not good, but then again, the idea is to go to the
> simpler tool, which supports all the goods (pf, CARP and others) out of
> the box.
>
> Besides, we don't need all the bells and whistles and shiny packages
> that FreeBSD provides. We just need to export data with netflow and SNMP
> and then more general-purpose machines can handle data processing.
>
> In fact, we're basically building a process where we can take a Soekris
> box, install a basic OpenBSD image on it + Puppet and have new router
> nodes automatically configured. So less is best here.
>
> A.
>
>
> ------------------------------------------------------------------------
In this case, this is for purely a bridging firewall, nothing more. No
web server in it's future (sorry Jean-Francois :-). If I go with "gui"
firewall (aka m0n0wall or pfSense), I don't want to have to use a
command line. If I go the command line route, I'll just do a setup from
scratch.
David
More information about the mlug
mailing list