Roy wrote:

I?d like an unbiased opinion on whether OpenBSD should be considered
a better choice as a firewall/router.>

No unbiased opinions exist.

I will say that:

* Debian's package update mechanism is faster than OpenBSD's

* OpenBSD is the upstream source of several security-critical packages including the ubiquitous OpenSSH;

* It is convenient, especially for a non-expert, to have one OS
to admin rather than two.

I?m wondering whether OpenBSD would be easier to manageas a firewall/router than Debian.

No, they pose the same degree of difficulty and require the same
basic understanding of networking.

Absolutely not. I?m referring to the fact that, as soon as I started
looking into firewall options on Debian, I found at least three
different systems: iptables, nftables, and ufw. It was quite confusing
to understand how they relate to each other. I now think I understand
that nftables is the newer approach, and it?s a very sophisticated and feature-rich system, probably ideal for a team of engineers, but maybe overkill for a side project like mine.

That's incorrect.

There is one firewall* system in the kernel. nftables is the
complete base system for manipulating it.

uptables used to be that base system, but as part of the
nftables transition, iptables actually calls nftables now, so
there is less need for people who knew the iptables syntax to
change over.

ufw is one of many, many more-or-less easy-to-use frontends to the underlying firewall system. To quote the man page:

The Uncomplicated FireWall is a front-end for iptables, to make managing a
Netfilter firewall easier. It provides a command line interface with syntax
similar to OpenBSD's Packet Filter. It is particularly well-suited as a
host-based firewall.

host-based, in this case, means "endpoint" rather than "router".

When I searched for firewall solutions on OpenBSD, the answer was much simpler: just pf.

Correct. pf is functionally the sole interface to OpenBSD's
kernel packet filtering.

In terms of performance, Linux wins on multicore CPUs (virtually
all CPUs, these days) and OpenBSD on a single core. However,
performance is absolutely not a factor you should consider for a
homelab; hardware will constrain you before the firewall OS
does.


-dsr-

*Hello pedantic people. Yes, you can talk to BPF dirextly.

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Wed, Apr 08, 2026 at 09:20:41AM +0200, Roy wrote:

I?d like to set up a homelab with a LAN and a DMZ. I have a PC with
three network interfaces. The idea is to separate the DMZ so I can
publish a demo website. This is not for professional use, just for
tinkering as a hobby.

I've got a setup like this, and highly recommend it!

If anyone has experience with firewall/router setups, would you
recommend using Debian for the firewall/router PC as well, or using
OpenBSD for the firewall/router and Debian as a KVM host for services? Alternatively, should I just use Debian for the firewall/router with nftables?

In my opinion, the latter. To me nothing is more freeing than using
the operating system and other components you are using for other tasks
for this. And that is a very strong opinion of mine.

E.g. dumping traffic and finding network problems is so much easier
if you are using the well documented network stack in Linux. If you
just can fire up "tcpdump" instead of using whatever arcane traffic
dumping tool the vendor of proprietary firewall box XY wanted. I wish
I could do that at work.

My "firewall" consists of about 100 lines (for public IPv4 and IPv6 public facing IP, IPv6 only DMZ) of /etc/nftables.conf. It is very freeing not
having to use a frontend, configuration interface, or similar, just 100
lines of rules (and those are not written very compact).

I?m asking because I have the impression that Linux has accumulated a
lot of overhead and is no longer as suitable for personal tinkering,
but is more geared toward enterprise use.

Hell no! Lots of us are still tinkering, experimenting, homelabbing ...

Out of my cold dead hands you can take my public IP address sitting on
a internet-exposed Linux box.

/ralph

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Wed, 08 Apr 2026 14:05:18 +0200
Roy <royroge@outlook.com> wrote:

Can you suggest some good documentation to start with? As I mentioned,
there is a lot of outdated information, and it?s really difficult

to

filter out what?s essential.

Any tutorial based on nftables will be fairly recent and certainly
applicable. Most of the obsolete stuff is going to be iptables and the
older frontends. Even so, there's a means of translating iptables code
to nftables, so if you find something really useful in iptables, it can probably be ported fairly easily.

As to frontends: I haven't tried one for a long time, but they
basically simplify the compact but not greatly readable syntax of
nftables, and iptables before it. The other edge of that blade is that
they cannot do everything you can do with the raw kernel-driving code.
It's a steep learning curve if you're not previously familiar with
iptables (and still somewhat steep if you are) but it gives you more
control.

As an aside, I don't do it much now, but I used to use iptables quite a
lot as a cheap and nasty logging tool, nowhere near as versatile as
Wireshark and the others, but if you just want to see if a particular
protocol is getting in or out of somewhere, it's very quick to add a
logging rule. A little harder with nftables.

--
Joe

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 4/8/26 11:01 AM, Joe wrote:

On Wed, 08 Apr 2026 14:05:18 +0200
Roy <royroge@outlook.com> wrote:

Can you suggest some good documentation to start with? As I mentioned,
there is a lot of outdated information, and it?s really difficult to
filter out what?s essential.

Any tutorial based on nftables will be fairly recent and certainly applicable. Most of the obsolete stuff is going to be iptables and the
older frontends. Even so, there's a means of translating iptables code
to nftables, so if you find something really useful in iptables, it can probably be ported fairly easily.

As to frontends: I haven't tried one for a long time, but they
basically simplify the compact but not greatly readable syntax of
nftables, and iptables before it. The other edge of that blade is that
they cannot do everything you can do with the raw kernel-driving code.
It's a steep learning curve if you're not previously familiar with
iptables (and still somewhat steep if you are) but it gives you more
control.

As an aside, I don't do it much now, but I used to use iptables quite a
lot as a cheap and nasty logging tool, nowhere near as versatile as
Wireshark and the others, but if you just want to see if a particular protocol is getting in or out of somewhere, it's very quick to add a
logging rule. A little harder with nftables.

have a look at https://openwrt.org/ this has debian slanted info.

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 4/8/26 00:20, Roy wrote:

I?d like to set up a homelab with a LAN and a DMZ. I have a PC with
three network interfaces. The idea is to separate the DMZ so I can
publish a demo website. This is not for professional use, just for
tinkering as a hobby.

If anyone has experience with firewall/router setups, would you
recommend using Debian for the firewall/router PC as well, or using
OpenBSD for the firewall/router and Debian as a KVM host for services? Alternatively, should I just use Debian for the firewall/router with nftables?

I?m asking because I have the impression that Linux has accumulated a
lot of overhead and is no longer as suitable for personal tinkering,
but is more geared toward enterprise use.

Building a gateway/router/firewall using a PC, multiple NIC's, and a general-purpose FOSS OS distribution is possible. Been there, done
that. Similarly so with purpose-built distributions (IPCop).


I came to the realization that I just want to *use* the network, not
become a networking expert and build everything from scratch.
Especially when each and every device had its own web GUI and I had to synchronize settings across all devices manually.


Then I discovered Ubiquiti Networks UniFi. The products are Linux on
the inside, if and when you ned that. The killer feature of UniFi is
that you control everything using one web GUI in the cloud -- routers, switches, Wi-Fi access points, cameras, etc.. And, everything just works.


If you want to experiment with a web server on the public Internet, get
a VPS. Professional hosting companies take care of networking
(including security), VM installation, VM backup, etc., so you can focus
on your services.


David

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Well, you kind of made my point :)

There is no doubt that Debian is very positively reluctant to pick
winners. Instead it's the land of choice.
It's as much a blessing as a curse: when you don't know any of
the alternatives it can take a lot of work to make a choice.

If you're looking for "the standard firewall solution" for Debian, I'll
argue it's `firewalld`.


=== Stefan

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Roy <royroge@outlook.com> writes:

If anyone has experience with firewall/router setups, would you
recommend using Debian for the firewall/router PC as well, or using
OpenBSD for the firewall/router and Debian as a KVM host for services? Alternatively, should I just use Debian for the firewall/router with nftables?

I went with Debian in my router when I couldn't find a router I
liked. Commercial router often means Linux with a smelly proprietary
layer on top and no access to Linux itself. Or a supermarket router of
the week where you can maybe replace the OS with OpenWRT or the like. I
had some doubts about OpenWRT when they split into two some years ago so
didn't want to go that way any more.

So then, I got a router-like PC to run Debian on which has been
great. And definitely I've done quite a lot of tinkering this winter especially, first adding VLANs and then tweaking IPv6 to work the way I
want. Earlier stuff was setting up filtering in the DNS and using
dnscrypt for external DNS access.

As for OpenBSD and pf, I didn't want to learn another OS with another
firewall and I was already more or less familiar with Debian and
relevant bits like nftables as well as systemd-networkd and
dnsmasq.

I?m asking because I have the impression that Linux has accumulated a
lot of overhead and is no longer as suitable for personal tinkering,
but is more geared toward enterprise use.

Hm. Enterprise use is of course important for Linux but there's also
smaller applications like phones, network gear, workstations. To name a
few.

Your impression reminds me... About 25 years ago when I tried FreeBSD,
there was some eye rolling in their community at Linux having multiple different Unix-like file systems. And why? Because some SGI peeps wanted
their XFS in Linux. IBM wanted their JFS in Linux. Someone else wanted
their pet FS in Linux. Sun definitely didn't want their ZFS in Linux but
people made it happen anyway. Others wanted something to use on raw
flash devices, so squashfs and JFFS happened. And so it goes, more use
cases means more people means more devs which means more software in
Linux.

Now, did having multiple file systems in Linux make it unsuitable for
personal tinkering? Create "overhead", whatever that means? I don't
think so. Having different ways to config a firewall doesn't
either. There's the wizard level eBPF too but I think I'll steer well
clear of it. Maybe if I ever have too much time on my hands.

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Wed, Apr 8, 2026 at 6:04?AM Roy <royroge@outlook.com> wrote:

I?d like to set up a homelab with a LAN and a DMZ. I have a PC wi

th

three network interfaces. The idea is to separate the DMZ so I can
publish a demo website. This is not for professional use, just for
tinkering as a hobby.

If anyone has experience with firewall/router setups, would you
recommend using Debian for the firewall/router PC as well, or using
OpenBSD for the firewall/router and Debian as a KVM host for services? Alternatively, should I just use Debian for the firewall/router with nftables?

Use pfSense.

I use pfSense plus a Protectli 4-port firewall at the house: <https://www.amazon.com/stores/page/405AE736-1693-414B-8C44-490BA63B353C>.

I?m asking because I have the impression that Linux has accumulat

ed a

lot of overhead and is no longer as suitable for personal tinkering,
but is more geared toward enterprise use.

Jeff

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Roy <royroge@outlook.com>:

If anyone has experience with firewall/router setups, would you
recommend using Debian for the firewall/router PC as well, or using
OpenBSD for the firewall/router and Debian as a KVM host for services? Alternatively, should I just use Debian for the firewall/router with nftables?

I've been running this one for 10 years now:
https://steinar.bang.priv.no/2016/05/06/using-a-raspberry-pi-2-model-b-as-a-routerfirewall-for-the-home-lan/

Before that I was running a regular old 1990-ies PC with debian as my
router and firewall (and server exposed to the outside. Until suppliers
started using IP masquerading and port filtering, I ran my domain's SMTP
server and an IMAP server on that computer. I moved that part into the
cloud in 2008).

--- PyGate Linux v1.5.14
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)