Roy wrote: > I’d like an unbiased opinion on whether OpenBSD should be considered > a better choice as a firewall/router.>
No unbiased opinions exist. I will say that: * Debian's package update mechanism is faster than OpenBSD's * OpenBSD is the upstream source of several security-critical packages including the ubiquitous OpenSSH; * It is convenient, especially for a non-expert, to have one OS to admin rather than two. > I’m wondering whether OpenBSD would be easier to manageas a firewall/router > than Debian. No, they pose the same degree of difficulty and require the same basic understanding of networking. > Absolutely not. I’m referring to the fact that, as soon as I started > looking into firewall options on Debian, I found at least three > different systems: iptables, nftables, and ufw. It was quite confusing > to understand how they relate to each other. I now think I understand > that nftables is the newer approach, and it’s a very sophisticated and > feature-rich system, probably ideal for a team of engineers, but maybe > overkill for a side project like mine. That's incorrect. There is one firewall* system in the kernel. nftables is the complete base system for manipulating it. uptables used to be that base system, but as part of the nftables transition, iptables actually calls nftables now, so there is less need for people who knew the iptables syntax to change over. ufw is one of many, many more-or-less easy-to-use frontends to the underlying firewall system. To quote the man page: The Uncomplicated FireWall is a front-end for iptables, to make managing a Netfilter firewall easier. It provides a command line interface with syntax similar to OpenBSD's Packet Filter. It is particularly well-suited as a host-based firewall. host-based, in this case, means "endpoint" rather than "router". > When I searched for firewall solutions on OpenBSD, the answer was much > simpler: just pf. Correct. pf is functionally the sole interface to OpenBSD's kernel packet filtering. In terms of performance, Linux wins on multicore CPUs (virtually all CPUs, these days) and OpenBSD on a single core. However, performance is absolutely not a factor you should consider for a homelab; hardware will constrain you before the firewall OS does. -dsr- *Hello pedantic people. Yes, you can talk to BPF dirextly.
