[ILUG] Firewalls... linux -v- BSD

[Lisa Muir]

Nick Murtagh wrote:
> We run a highly available firewall which consists of two OpenBSD boxes
> running pf and carp. We get two ethernet cables from the datacentre's
> switching network. It works great. In fact as the hardware in the two
> firewalls has proven to be flaky, at least when running OpenBSD, we've
> found this invaluable.

Thats where this one is headed, a datacenter deployment, but as you
walk around the joint it would look that we'd be the first to go with
a non commercial firewall solution in our particular room. That gives
an uneasy feeling at times, there's always safety in numbers.

> However, unless you are doing something like this, I would not
> recommend OpenBSD, especially if you are used to Linux. It has no
> proper package management. There are lots of little annoying things
> such as the cursor keys / home / end / delete not working in shell or
> vi.

That kind of stuff does not bother me at all. I admin two old sco
boxes, so it would be a joy to mess around with that kind of stuff. My
biggest problem is that BSD's use a single partition and slices for
disk "partitioning". I prefer to do recovery with linux, and have yet
found a way to mount a "slice". Thankfully I don't have to try very
often.

> pf syntax is nicer than iptables, but shorewall is even better ;)

I don't know what I'm missing though... its like there's an inherent
understanding in the BSD world that pf is front line ready and a valid
professional solution to put into say a datacenter and I don't ever
get a similar feeling from the linux world. How many people here run
iptables as the front line of defence in a datacenter?

Lisa.