I ran an OpenBSD router on an ALIX board for about 10 years and it was rock solid. Only stopped using it after switching to municipal fiber (and just using the ISP router, as the uplink was way too fast for the poor old ALIX).
I plan to switch work routers to OpenBSD sooner or later and we'll also get in-kernel WireGuard.
Something I like about pf in general is the tables. You can define a <table> to include a file, such as a list of bad CIDRs provided by the Spamhaus DROP list for example. Besides that, the grammar (inherited from ipf, back in the day) is basically just English.
pass in inet proto tcp from any to any port 443
(You can also write https instead of 443, I just prefer port numbers over protocol names.)
I don't know what the equivalent is in other packet filters, but if you ask 1000 random non-firewall tech-people what the above rule and the iptables equivalent mean, more people will understand the pf grammar. That's really important when you're writing firewall rules.
I plan to switch work routers to OpenBSD sooner or later and we'll also get in-kernel WireGuard.
Something I like about pf in general is the tables. You can define a <table> to include a file, such as a list of bad CIDRs provided by the Spamhaus DROP list for example. Besides that, the grammar (inherited from ipf, back in the day) is basically just English.
pass in inet proto tcp from any to any port 443
(You can also write https instead of 443, I just prefer port numbers over protocol names.)
I don't know what the equivalent is in other packet filters, but if you ask 1000 random non-firewall tech-people what the above rule and the iptables equivalent mean, more people will understand the pf grammar. That's really important when you're writing firewall rules.