OpenBSD people ... I have a question as I am preparing an article for the next episode about OpenBSD in general and PF...
Just exactly/approx. how good of a firewall You can build out of OpenBSD? Should I simply think of pFsense or it can go way beyond that (more secure, more features, IDS/IPS)?
@viktormadarasz Why restrict to openbsd. Why not iptables too?
yes @gemlog this time the focus is on OpenBSD and its implementations f.e as a firewall with pf and other bits and pieces.
The topic was always up to suggestions however all I got so far was the same email three times from Ben to compare different salmon types 😻
he attached this link to each of the mails:
@viktormadarasz pFsense or Opnsense provides web gui for managing everything.
There is no gui in OpenBSD to manage the firewall or services. You will have to "hand" write the pf config. Then we have snort, squid, aide for IPS/IDS.
About VPN we have openvpn/ipsec/wireguard/tinc.
There are queue / throttling / carp support too.
Keeping an OpenBSD system up to date is far easier than any other OS IMO, that would be a + for the "more secure" part.
@solene thank you..useful info for me for this saturdays episode 😃
@viktormadarasz Prefer to run OpenBSD + pf than pFsense unless you want to configure and manage the firewall in a browser.
Also from what I have read OpenBSD pf gets the fresh code and features first, then it is written in to FreeBSD pf.
At the end of the day, you can't go wrong with either-- its a personal preference.
@viktormadarasz Pfsense is based on FreeBSD, not OpenBSD.
@viktormadarasz pf is a stateful packet filter. Pretty versatile, with an easily readable configuration language, but still a packet filter. It won't give you any fancy "NG" firewall features or much in the way of IDS/IPS - though some of the statistics-based options like max-src-conn-rate can take you in that direction.
Setting up clusters is not too hard, and IPSEC works well enough.
@galaxis Any way to add Nextgen FW features in it?
@viktormadarasz Sorry, never tried, so I wouldn't know.
You can certainly install any of the common IDS/IPS engines, but I have no idea if any of them has infrastructure to be meshed into pf rulesets (except for fail2ban, which I have been using successfully on OpenBSD).
@viktormadarasz you can use pf and suricata on ports
"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko