Re: [fw-wiz] OpenBSD pf users?

On Dec 9, 2007 3:33 PM, Wim Lamotte <Wim.Lamotte@xxxxxxxxxxx> wrote:


I was wondering if any of the fw-wiz members is currently using the pf
firewall on OpenBSD. We are considering this platform as an alternative to
our current Checkpoint FW-1 running on a Nokia 2-node cluster, with which
have had many problems (cluster not stable, SIP traversal problems,
SmartDefense unpredictable, high license costs, ...)

If anyone has evaluated the OpenBSD pf platform in the past, and concluded
that there were good reasons not to use it, I would also be very
to know what these reasons were.

Hi Wim,

What matters is the experience of the guys who will be managing your
Do they have the experience with *nix systems?
If you go for OpenBSD you will not need to only manage you firewall setup
(rules/natting/vpn/...) but also the underlying OS.

OpenBSD supports up to two release, and there is a new release every two
months, which means that you will need to upgrade your system every year.
If you have the experience you can do this with you eyes closed, if not ...

With OpenBSD you will probably need to install/patch/upgrade (a lot) third
party software to get some more functionalities (mrtg, external logging,
If you have the experience you can do this with you eyes closed, if not ...

With CheckPoint on Nokia maintaining your firewall can be done (or at least
it should be) with a couple clicks.
Even a junior admin can do this (with his eyes closed...).

What happens when the *nix guru who has installed and highly tuned OpenBSD
for your needs leaves your company?
Check Point admins can be found everywhere (but this doesn't mean that they
are all skilled) but it is more difficult to find someone with OpenBSD

OpenBSD has proven to be a rock solid firewall and will probably have all
the features you need.
(carp, ipsec VPNs, VPNs for road warriors,...) Okay, you don't get the fancy
Smartdefense updates/headaches.

With OpenBSD you pay nothing (consider a donation) for the software, but you
will need to pay the experienced administrator.
With Check Point you pay a fortune for the licenses but a junior admin can
manage most of the firewall.

If you want something cheaper with a nice gui and easy to update/maintain
you could also consider a Netscreen.

Good luck with your choice.
firewall-wizards mailing list