Which Free UNIX?
Comparing Linux and *BSD
Wars of Inches
Note: This page was written in June of 2000. The firewall described here is still up and kicking, but some information on this page may be out of date. BSD--and Linux--are constantly moving targets.
For my home firewall, I looked at several OS alternatives. Although several seemed promising, I ended up running Linux in the end. Why would a Linux user consider running anything but Linux? Many reasons, which don't make me an OS heretic! Okay, if I'd considered anything but UNIX, then I'd be a heretic. And if I'd considered anything from Microsoft, I'd be certifiably loony. But Microsoft was out of the question anyway, because of my choice of hardware.
Hmmm. Sounds like I just said, "I like both kinds of operating system: Linux and (free) BSD." Yup, that about sums it up!
Which Free UNIX?
You should remember that Linux isn't the only free UNIX-like OS. There are several free operating systems based on 4.4BSD Lite and Net/2, two free releases from the Berkeley Software Distribution people. The BSDs are reputed to be stabler and more secure than Linux in server applications. Since the point of this firewall exercise is to behave like a security nut, it seemed like my duty to look over the alternatives.
A quick trip to CheapBytes produced four alternatives, for about $15.00 total. They were FreeBSD, NetBSD, OpenBSD, and RedHat 6.1. After a few days' anxious waiting, I began experimenting with each one in turn.
What followed was an intense three days. That's not enough time to really evaluate an OS, so these notes simply reflect the impressions of an experienced Linux user trying his hand with the *BSD distributions.
Comparing Linux and the *BSDs
The BSD-based free unices may be unfamiliar to many Linux users. I've prepared a short description of the free BSD derivatives. You can also find a longer history in the BSD FAQ, which is part of the UNIX Unleashed Internet Edition.
To summarize: if you're looking for major differences between the free unices, forget it. The three BSDs have remained very close to each other; they are probably more similar than any three Linux distributions. For example, many NetBSD bugs are found first in OpenBSD, and vice versa. And Linux is probably closer to the BSDs than to any commercial UNIX. It's no surprise: many of the same hackers work on all of them.
That said, three things recommended a BSD for my firewall.
First, the BSD code is much older than Linux, and I was interested in exploring the possibility that its greater maturity might show in the form of greater reliability.
Second, BSD invented TCP networking. The networking code in every UNIX, including Linux, is based on BSD. Again, I wanted to see whether that added maturity would show.
Third, BSD uses the UFS filesystem, which is more resistant to crashes than the Linux Ext2 filesystem. The problem with Ext2 is that file metadata is written asynchronously. That means the kernel promises programs that it has written data to disk, when really the kernel just intends to write the data later. If the machine should crash before the kernel carries out its intention, then data can be irrevocably lost. That can't happen with the UFS filesystem, since metadata writes are done synchronously.
I decided to focus on OpenBSD, for philosophical reasons. OpenBSD was founded on paranoia; that sounds just right for a firewall.
Wars of Inches
The thing to remember is that we're talking about a war of inches here. All the information I can find suggests that the free operating systems are just about evenly matched, overall. Each has different strengths which suit it for different applications.
If you need an alpha device driver, for example, then your machine is likely to be unstable--whichever OS you pick. Since Linux has the largest number of stable device drivers, Linux would probably be your best bet if you have any unusual hardware.
On the other hand, if all of your hardware is widely supported, then device drivers aren't a problem. If you're trying to build a network server, then perhaps OpenBSD's security-audited network code is the thing to have. In the case of my firewall, that seemed like a reasonable idea.
Again, journaling filesystems might interest you, and Linux doesn't have one yet. Things like mail servers are inherently unreliable on asynchronous filesystems. Here "unreliable" is defined as "practically perfect in every way, most of the time, but not the best we can do with existing technology." We can solve this problem under Linux by putting the mail queue on a separate filesystem and mounting it with the "sync" option. However, journaling filesystems are faster than the Linux filesystem in synchronous mode, so they still have an attraction that might steer you toward BSD (in this respect, all of the BSDs are equal).
Then again, if you need an OS for your Timex-Sinclair, or your Casio calculator, or your Nike running shoe, then NetBSD is your only choice.
