Opnsense on OpenBSD

Started by joeculler, September 21, 2020, 05:23:34 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 21, 2020, 05:23:34 AM
I'm wondering if anyone tries to port opnsense on OpenBSD?
I'd like to try to do that, thanks.
September 21, 2020, 01:46:30 PM #1
It was a discussion a long time ago. Relevant bullet points from the top of my head:

* HardenedBSD migration and LibreSSL option reduced the need for OpenBSD as opposed to FreeBSD
* Certain technologies require rewrites (IPsec/Strongswan is not common on OpenBSD)
* Certain technologies are not available (Netmap and ZFS never made it to OpenBSD)
* Packaging, ports and build infrastructure is different, with pkg_add lacking functionality that pkg(ng) has for automating builds and updates
* Interface code would have to be rewritten and restructured to make sense in the years to come as it has had too much organic growth unfortunately
* Supporting more than one BSD is out of scope for a single project considering the complexity of it all

For me personally the reasons are that FreeBSD has good networking support and contributors (Intel, Netflix, etc.), the release cycles of FreeBSD are a bit longer and conservative than OpenBSD which gives more time to prepare a release (although their EoL policy is worse). Suricata with Netmap is very popular with users, especially since we have ET Pro Telemetry.

This shouldn't prevent anyone from trying. The only I want to say is that think about why you would be doing it and if there is a valid reason please do. :)


Cheers,
Franco
January 27, 2021, 07:56:02 AM #2
I found this thread wondering the same question.  Thanks for chiming in about that, Franco, it was really interesting!
January 27, 2021, 07:04:48 PM #3
Sort of a hijack, but have there been similar discussions about porting to Linux? From a very naive perspective it looks like Linux would have a lot of advantages like better hardware support and a generally vast ecosystem. The obvious cons are whether or not iptables can be as sophisticated as pf (thinking about policy routing, multi WAN etc.) and that a lot of defaults that people have gotten used to over the years would probably change. But i feel like somebody somewhere surely must have thought about this some more. Would be very interesting to read for sure :)
January 28, 2021, 10:08:26 AM #4
We joke about it from time to time internally that this would have been the best route, but you basically start at zero and work your way through it. Too many people already did this and look where we are.

Personally, I also don't feel like forking a nice Linux firewall to take it somewhere else. Maybe I'm getting old. :)


Cheers,
Franco
Print
Go Up Pages1
User actions