Recently I replaced my office’s filtering network bridge which still ran on an old FreeBSD 4.11 box for the last eight years or so. The new system is based on a Soekris 5501, and because it took some time to choose the right software I decided to publish my notes on the tested BSD firewall products.
M0n0wall: I have already used this as a NAT router and liked the web-based configuration (which I percieved as convenient but not limiting), so it was the first candidate. But I found it to be ‘too small’ for my plans. It allows neither the installation of additional software, nor does it allow ssh login for scriptable configuration changes. It also does not use pf, which I tend to prefer for its concise configuration and dynamic tables.
pfSense: M0n0wall’s big brother; bigger, more complete, and more customizable. But with one major problem: no IPv6 support. It is 2010, with only 1-2 years until the IPv4 address pool exhaustion… deploying network infrastructure without IPv6 support is ridiculous and not an option. – Another problem seems to be a limited support for bridge setups: There are always a number of standard pf rules, which are hard to circumvent in case of problems. I nearly settled to use the web-interface for IPv4, and insert my own IPv6 rules into the PHP scripts. But this would have made it even harder to maintain than a solution without any web-interface.
NanoBSD: So I finally took the chance to build my own small FreeBSD system for the task. NanoBSD is basically a script to do a FreeBSD ‘make world’, allow for some customization, and finally put everything into a CF-ready disk image. Of course the first attempt required several changes after installation (it’s really hard to think of all configuration steps beforehand), but everything went well without major problems.
Thus I chose NanoBSD. YMMV, and I would not recommend it for anyone not familiar with BSD. – But with four other BSD servers the additional maintenance effort is really small; possibly even easier than with any non-standard or web-based configuration.
[Update, 2011-02-24: If you use NanoBSD yourself then take a look at the useful scripts and patches from BSDRP.]