OpenBSD people ... I have a question as I am preparing an article for the next episode about OpenBSD in general and PF...

Just exactly/approx. how good of a firewall You can build out of OpenBSD? Should I simply think of pFsense or it can go way beyond that (more secure, more features, IDS/IPS)?

@gemlog I guess because the topic is « I am preparing an article for the next episode about OpenBSD in general and PF » :flan_think:


have I mentioned it's 3am my time? :-)
But still, viktor's restriction of topic is his own choice and history has shown that he can be influenced. It's not carved in stone.
I'll bring Ben in on this if I have to! Just see if I won't.


@solene @gemlog

yes @gemlog this time the focus is on OpenBSD and its implementations f.e as a firewall with pf and other bits and pieces.

The topic was always up to suggestions however all I got so far was the same email three times from Ben to compare different salmon types 😻

he attached this link to each of the mails:


I'm still on the road you set me on last week for monitoring - doing more of it.
My needs are more modest than yours and Claudio's though.
@solene @claudiom

@gemlog @solene @claudiom Nice.... this Saturday I send you down the road of OpenBSD and a use case scenario for home network ( failover router/firewall application)

spruceeats is a good site.
I hadn't met Ben yet when I did up about 10 sockeye. These are the superior BC sockeye. Not those alaskan sockeye.
@solene @claudiom

@gemlog @solene @claudiom They look so.good. I bet they taste the same....
here for 100g of norwegian salmon raw smoked are 4-5€ or more on average

Europe is not my favourite place lately. We can not bear arms and we can not fish salmon here

@gemlog @solene @claudiom Where the exact procedure is documented? what kind of marinade? Smoking time? etc. would be interesting to see even tough chances of me in need to smoke salmon this side of the planet earth is thin very thin unfortunatelly

@gemlog @solene @claudiom google offers me.this alternative:

the closest I am ever gonna get to salmon alaskan or BC Canada ones are these burgers I get from costco which buy the way very very very delicious

@viktormadarasz pFsense or Opnsense provides web gui for managing everything.

There is no gui in OpenBSD to manage the firewall or services. You will have to "hand" write the pf config. Then we have snort, squid, aide for IPS/IDS.

About VPN we have openvpn/ipsec/wireguard/tinc.

There are queue / throttling / carp support too.

Keeping an OpenBSD system up to date is far easier than any other OS IMO, that would be a + for the "more secure" part.

@viktormadarasz Prefer to run OpenBSD + pf than pFsense unless you want to configure and manage the firewall in a browser.
Also from what I have read OpenBSD pf gets the fresh code and features first, then it is written in to FreeBSD pf.
At the end of the day, you can't go wrong with either-- its a personal preference.

@viktormadarasz pf is a stateful packet filter. Pretty versatile, with an easily readable configuration language, but still a packet filter. It won't give you any fancy "NG" firewall features or much in the way of IDS/IPS - though some of the statistics-based options like max-src-conn-rate can take you in that direction.
Setting up clusters is not too hard, and IPSEC works well enough.

@viktormadarasz Sorry, never tried, so I wouldn't know.

You can certainly install any of the common IDS/IPS engines, but I have no idea if any of them has infrastructure to be meshed into pf rulesets (except for fail2ban, which I have been using successfully on OpenBSD).

Sign in to participate in the conversation
Mastodon @ SDF

"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko