Why freebsd and not openbsd?



  • Just curious of why you guys choose FreeBSD when building this amazing software, to me OpenBSD seems to be the way to go cause their extremely good security policys,

    so what criteria made you choose FreeBSD and is it "possible" to port this to OpenBSD if i tried, or would it require much recompiling of kernel and packages?

    And while im posting, what are the thoughts of implementing authpf in pfsense?



  • We chose FreeBSD because of our experience with the product.  I have used FreeBSD for over 10 years and it would have been silly for me to throw all of my knowledge away.

    PF works the same on FreeBSD as it does on OpenBSD.

    There are no plans to integrate authpf, it needs to be fixed so that it does not require the BGL in FreeBSD.



  • good enough answer for me :)

    to bad about authpf, it would have been a great security feature



  • @mastrboy:

    Just curious of why you guys choose FreeBSD when building this amazing software, to me OpenBSD seems to be the way to go cause their extremely good security policys,

    so what criteria made you choose FreeBSD and is it "possible" to port this to OpenBSD if i tried, or would it require much recompiling of kernel and packages?

    There is some non-portable code in our tree.  At some point I'll try and clean some of it up…but our ipsec and pppoe stacks aren't easily made OS agnostic.

    @mastrboy:

    And while im posting, what are the thoughts of implementing authpf in pfsense?

    Authpf is a well thought out concept that IMO has flaws.  Requiring the creation of user accounts on the firewall isn't exactly something that "sounds good and sane" to me.  The right way (IMO) to go about this is to write a daemon that utilizes TLS and authenticates against a RADIUS or LDAP server.  A client utility would obviously have to be written also, but it'd be pretty easy to make it portable (gtk and openssl compile just about anywhere these days).

    –Bill



  • If im not totally wrong here it is not authpf that does the actual authentication, it's the SSH daemon, so you could configure the SSH daemon to authenticate against pam_ldap or similear i guess.



  • @mastrboy:

    If im not totally wrong here it is not authpf that does the actual authentication, it's the SSH daemon, so you could configure the SSH daemon to authenticate against pam_ldap or similear i guess.

    Correct, authpf doesn't do the authentication.  It does require a TTY though and that requires more access than I'm willing to give my users.  OpenBSD did the right thing as far as it being part of their core OS (and handling authentication), however I disagree with the implementation for pfSense.  It needs a utility that can be deployed to the desktop and doesn't require anything more than an authentication prompt on the firewall (which can obviously be handed off to radius, ldap, whatever).

    –Bill


Locked