Firewall Wizards mailing list archives
Re: OpenBSD pf users?
From: "Robby Cauwerts" <robby () cauwerts be>
Date: Tue, 11 Dec 2007 21:54:44 +0100
On Dec 9, 2007 3:33 PM, Wim Lamotte <Wim.Lamotte () uhasselt be> wrote:
Hi, I was wondering if any of the fw-wiz members is currently using the pf firewall on OpenBSD. We are considering this platform as an alternative to our current Checkpoint FW-1 running on a Nokia 2-node cluster, with which we have had many problems (cluster not stable, SIP traversal problems, SmartDefense unpredictable, high license costs, ...) If anyone has evaluated the OpenBSD pf platform in the past, and concluded that there were good reasons not to use it, I would also be very interested to know what these reasons were.
Hi Wim, What matters is the experience of the guys who will be managing your firewalls. Do they have the experience with *nix systems? If you go for OpenBSD you will not need to only manage you firewall setup (rules/natting/vpn/...) but also the underlying OS. OpenBSD supports up to two release, and there is a new release every two months, which means that you will need to upgrade your system every year. If you have the experience you can do this with you eyes closed, if not ... With OpenBSD you will probably need to install/patch/upgrade (a lot) third party software to get some more functionalities (mrtg, external logging, OpenVPN,...) If you have the experience you can do this with you eyes closed, if not ... With CheckPoint on Nokia maintaining your firewall can be done (or at least it should be) with a couple clicks. Even a junior admin can do this (with his eyes closed...). What happens when the *nix guru who has installed and highly tuned OpenBSD for your needs leaves your company? Check Point admins can be found everywhere (but this doesn't mean that they are all skilled) but it is more difficult to find someone with OpenBSD experience. OpenBSD has proven to be a rock solid firewall and will probably have all the features you need. (carp, ipsec VPNs, VPNs for road warriors,...) Okay, you don't get the fancy Smartdefense updates/headaches. With OpenBSD you pay nothing (consider a donation) for the software, but you will need to pay the experienced administrator. With Check Point you pay a fortune for the licenses but a junior admin can manage most of the firewall. If you want something cheaper with a nice gui and easy to update/maintain you could also consider a Netscreen. Good luck with your choice.
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- OpenBSD pf users? Wim Lamotte (Dec 11)
- Re: OpenBSD pf users? ArkanoiD (Dec 13)
- <Possible follow-ups>
- Re: OpenBSD pf users? Jim O'Gorman (Dec 11)
- Re: OpenBSD pf users? Paul Melson (Dec 11)
- Re: OpenBSD pf users? Joshua Hill (Dec 11)
- Re: OpenBSD pf users? Matthew Franz (Dec 11)
- Re: OpenBSD pf users? Robby Cauwerts (Dec 12)
- Re: OpenBSD pf users? Wim Lamotte (Dec 12)