[ale] Linux versus OpenBSD for enterprise firewalls

Keith Miller smeadspam100 at speedfactory.net
Wed Nov 9 14:03:39 EST 2005


I tend to agree with Mike.  Both are powerful and can be made to be very
lite on resources.  It's a matter of comfort really. Here are some points to
consider:

1) Release cycle.
	Openbsd has them every 6 months and only release patches for current and
last version.  This has the effect of making your OS unsupported after a
year (I've seen them issue patches for 2 versions back..but I wouldn't count
on it).

2). Patching
	Openbsd uses patches. For routers/Nat/fw boxes this usually means you
either add a compiler to the unit (boo!) or compile the binaries on another
machine (my personal tactic).

3). Hardware support
	Both do great here but look at what your planning on running on and make
sure they support it well (this is kinda obvious but there are surprises).

4)  Meeting your specs
	Do you require redudancy? Bandwidth shaping? Bonding? Failover?
	Proxying?  Wireless AP?  IPSEC? Bascially who's going to meet your 	spec
the best.

Personally I've run openbsd on my routers for the last 5 years.  Mostly out
of comfort and I don't have a heavy spec. I remind you of something I
mentioned at InstallFest. If your doing a fresh install with no previous
expectations, your have a great deal of latitude to implement things.
However, if your replacing an exisiting service (or unit) make sure you meet
the expectations of the systems and people who used that old unit. Are there
 services or features that the Raptor offered that people or systems relied
on?  Different is ok..just make sure you know ahead of time the differences
so you can educate.

Hope this helps a bit.

W. K. Miller

Michael H. Warfield wrote:
> On Wed, 2005-11-09 at 08:30 -0500, John Wells wrote:
> 
>>Any opinions from the security guys on the list? I'm seeking to rid our
>>company of a nasty Symantec Raptor firewall, and of the numerous options
>>we're considering, Linux/iptables and OpenBSD/pf keep coming up. Any
>>thoughts?
> 
> 
> 	You would probably do well, either way.  Which are you more comfortable
> with in administering?
> 
> 
>>Thanks,
>>John
> 
> 
> 	Mike
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale



More information about the Ale mailing list