Re: [fw-wiz] OpenBSD pf users?

On Dec 9, 2007 3:33 PM, Wim Lamotte <Wim.Lamotte@xxxxxxxxxxx> wrote:


I was wondering if any of the fw-wiz members is currently using the pf
firewall on OpenBSD. We are considering this platform as an alternative to
our current Checkpoint FW-1 running on a Nokia 2-node cluster, with which
have had many problems (cluster not stable, SIP traversal problems,
SmartDefense unpredictable, high license costs, ...)

If anyone has evaluated the OpenBSD pf platform in the past, and concluded
that there were good reasons not to use it, I would also be very
to know what these reasons were.

Hi Wim,

What matters is the experience of the guys who will be managing your
Do they have the experience with *nix systems?
If you go for OpenBSD you will not need to only manage you firewall setup
(rules/natting/vpn/...) but also the underlying OS.

OpenBSD supports up to two release, and there is a new release every two
months, which means that you will need to upgrade your system every year.
If you have the experience you can do this with you eyes closed, if not ...

With OpenBSD you will probably need to install/patch/upgrade (a lot) third
party software to get some more functionalities (mrtg, external logging,
If you have the experience you can do this with you eyes closed, if not ...

With CheckPoint on Nokia maintaining your firewall can be done (or at least
it should be) with a couple clicks.
Even a junior admin can do this (with his eyes closed...).

What happens when the *nix guru who has installed and highly tuned OpenBSD
for your needs leaves your company?
Check Point admins can be found everywhere (but this doesn't mean that they
are all skilled) but it is more difficult to find someone with OpenBSD

OpenBSD has proven to be a rock solid firewall and will probably have all
the features you need.
(carp, ipsec VPNs, VPNs for road warriors,...) Okay, you don't get the fancy
Smartdefense updates/headaches.

With OpenBSD you pay nothing (consider a donation) for the software, but you
will need to pay the experienced administrator.
With Check Point you pay a fortune for the licenses but a junior admin can
manage most of the firewall.

If you want something cheaper with a nice gui and easy to update/maintain
you could also consider a Netscreen.

Good luck with your choice.
firewall-wizards mailing list

Relevant Pages

  • Re: The Stunning Failure of OpenBSD
    ... To make the long story short, request your boss to spend about US$100 from ... his petty account to get any router + Firewall + NAT + QoS, ... to replace your Linux router. ... OpenBSD proved to be more ...
  • [fw-wiz] OpenBSD pf users?
    ... firewall on OpenBSD. ... If anyone has evaluated the OpenBSD pf platform in the past, ... to know what these reasons were. ...
  • Re: Internet Sharing - Security
    ... Can you recommend the steps that I would need to take once I have ... OpenBSD 3.0 installed on my system. ... >>>inexpensive Linux 2.4.x firewall with Netfilter and ISC DHCP is fine. ...
  • Re: What firewall for small medical research lab
    ... There is no BEST firewall, if you will not use it at the right ... Then I found OpenBSD and stayed with it since. ... As far as cost, $45 for OpenBSD ... Try Webroot's Spy Sweeper Enterprisefor 30 days for FREE with no ...
  • Re: Which Linux OS best for beginner to setup as Web / Mail server / Internet sharer and firewall?
    ... >>I don't want to start a flame war, but in my experience OpenBSD is best ... >>boxes if you must run linux for applications. ... > linux inside the firewall? ... web server? ...