O O Ø O O O O
Firewalls (on OpenBSD)
A long time ago, in a galaxy far, far away, I maintained the OpenBSD variant of Darren Reed's IP Filter. Then, one happy day in Boston, the IP Filter code was dumped, and we started afresh. There were three main options on the table: hack a state engine into FreeBSD's IPFW, dust off an old project of Mike Frantzen's, or go with a fresh start, care of Daniel Hartmeier. In the end, we went with Daniel's code. The result was pf, and it has since become the most powerful and flexible firewall system around.
- VPN Failover with CARP
- Since the advent of CARP and pfsync, it is now trivial to deploy firewalls in a redundant configuration with automatic failover. It is still far from trivial, however, to do the same for your VPNs. Here's my current approach, as of OpenBSD 3.9
- Old instructions for building an OpenBSD firewall
- This is a derivative of a document I have been using since the OpenBSD 2.3 days. Back then, we used to sell a managed firewall product that we called a Greenbox. This document started life as our own standardized build instructions for the firewall, and gradually grew into something we would ship off to clients who didn't want to pay us to do their dirty work. It's old. It's out of date. But every couple of decades, I try and update it.