OpenBSD people ... I have a question as I am preparing an article for the next episode about OpenBSD in general and PF...

Just exactly/approx. how good of a firewall You can build out of OpenBSD? Should I simply think of pFsense or it can go way beyond that (more secure, more features, IDS/IPS)?

@viktormadarasz pf is a stateful packet filter. Pretty versatile, with an easily readable configuration language, but still a packet filter. It won't give you any fancy "NG" firewall features or much in the way of IDS/IPS - though some of the statistics-based options like max-src-conn-rate can take you in that direction.
Setting up clusters is not too hard, and IPSEC works well enough.

@viktormadarasz Sorry, never tried, so I wouldn't know.

You can certainly install any of the common IDS/IPS engines, but I have no idea if any of them has infrastructure to be meshed into pf rulesets (except for fail2ban, which I have been using successfully on OpenBSD).

Sign in to participate in the conversation
Mastodon @ SDF

"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko