So because we have DSL and Dean has a LISP-based almost-custom webserver and we have a gazillion laptops of our own, I set up my own firewall using an old box and OpenBSD 2.9. I followed the book, I have a three-legged firewall with one locked down internal zone for the laptops to browse over the wireless network and the happydino.com webserver in a DMZ. If you try to webserve, ssh, or mail us, it'll go automatically to the DMZ, the laptops are supposed to only be connecting over channels they open and not the other way round, etc, etc, etc.
It's been one fucking pain after another to figure this out. Everyone out there has their own rulesets for their firewalls, and all the rules in the rulesets work together in intricate ways so it is hard to say, well this rule does only this and this rule does that, no, each filtering set is carefully pieced together. And so I did my own, through trial and error. Every piece of writing on OpenBSD touts how secure it is but is extremely unfriendly towards users who actually don't enjoy being a sysadm and are starting from nowehere. Manpages are terse and hostile to be read by actual humans approaching this new. Setting up 'named' properly took forever because of our needs. Setting PPPoE was a pain, because it breaks in undocumented ways the tricks for hardening the firewall. Everybody has opinions on what to do, but they don't all work together, and I end up borrowing and following HOW-TOs, if I can find them, halfway with every step having to make sure I don't break something new this time.
The result is that I actually don't even know whether my firewall and the computers behind them are actually that secure against attacks -- sure, the portscans show up like I expect, but that's just the portscan -- and I can't seem to modify my ruleset to let the DMZ open a connection to send mail. happydino.com cannot send out mail, just receive it. Never mind what I really shoud be doing, which is setting up ipsec between the firewall and the wireless win2K portables so nobody can read the packets going over the air.
I am useless at this. Useless. It takes forever in between all the reboots I have to do to test things out (No, I cannot just do "sh ./netstart", that actually has a different effect sometimes on my routing than rebooting, and if I don't test by rebooting, the next time I reboot for a real reason it may turn out that my setup wasn't working right. Yes, I am sure it always works perfectly the same for you.), I am not sure what to tweak, and the pages of help are being updated and dwindling because everyone is migrating to OpenBSD 3.1 and writing help documentation for that. I have no idea how to upgrade easily short of re-installing, and since the syntax has changed on many packages, I really. Don't. Want. To. It'll take me two weeks again.
Fuck freeware. It just simply isn't worth my time.