Gateway and Perimeter Systems

Border and Gateway Systems

OpenBSD is an established, tested, system for Edge, or Border devices. You may have to use your local search engine, or watch the mailing lists, but if you want to write your own [marketing brochures](“aka do your own research”), OpenBSD is a practical and solid solution for many edge device, and border systems.

These notes will not help you build a secure system, but will hopefully provide some strategy for monitoring or debugging your configuration.


The Packet Filter Engine, PF, is a stateful packet filtering system developed by the OpenBSD developers. PF supports providing access controls for network traffic including QOS, Traffic Shaping, and Network Address Translation (NAT.)

In this context, we discuss using OpenBSD’s High Availability Features, which supports warm/hot failover between different hosts.

High Availability

OpenBSD offers some unique (?) tools for systems requiring high availability services. The high availability core services allow administrators to augment any application to mitigate against hardware failure.

The default distribution of OpenBSD includes a Firewall Packet Filter extending on the above features to support various scenarios of high availability for the firewall.


Proxies are Application Level (Layer 7?) gateways that offers another layer of controls on resource use, and at times can also provide another layer of security.


Routing Gateways manage traffic between different networks at the Network Layer 2 or 3. OpenBSD works well in this environment including networks requiring IPv4 and IPv6.

For large network routing configurations, OpenBSD supports industry standardads such as the Border Gateway Protocol (BGP), OSPFD, MPLS.