On Oct 23, 2010, at 12:33 PM, Jean-Francois wrote: > Le Wednesday 22 September 2010 21:29:31, Rikky Taylor a icrit : >> I was after some general advice. I need to setup a routing firewall with 3 >> interfaces, moderate traffic and a fair amount of NAT'ing in the rules. >> >> Given identical modern server hardware would I expect a performance >> difference between an OpenBSD/PF setup and a Linux/IPTables one? >> >> Rikky > > Hello, > > The question mentioned before is right, a little more description is helping > regarding your infrastructure. > > I'm loving OpenBSD as firewall, it performs well enough and is secure by > default, so if you get rules right, you have very quickly something very good > for an affordable effort. > > Most importantly, you have a very well documented firewall through man pages > and faq, therefore a very small probability of human error, the ever > persisting root of imperfection if I could say.
I agree with all of that. Who cares how fast your firewall is if it's compromised? This is not to say PF/OpenBSD is slow, but my point is who wants a Ferrari that blows up unexpectedly when you can have a perfectly reasonable car that never blows up? Security has many facets, but the two I deem most important are: How safe is something from external control and how likely am I to fuck it up allowing someone to take advantage of my system? I can't do much about the former, except to trust people who are smarter than me and have more experience than I, and the latter I can only select that which I believe I won't fuck up. The difference between PF maintenance and IPTables maintenance, in my experience, is significant. PF can seem a little harder at first, because it requires a little bit of thought (at least that's how I felt grokking the new PF match rules. In the beginning of my PF experience, it was trivial to move from ipf to pf.). But once you get it, it's a richer toolset of options. IPTables is just a freakin' huge, long blithering list of chained crap. It drives me nuts messing with consumer firewalls that run IPTables. Writing PF rules is like telling someone "go to the store and get milk", and you might have to explain that once. Writing IPTables rules is like telling someone "stand up". Then "Walk to door". Then "Open door". Keep going until you get to "put milk in fridge". Oh, you might need to explain how to walk, too. Sean