commercial router vs. openbsd

Hi!

I am not subscribed to this mailing list. So I would be glad if you could include my email address to the recipient list of potential responses.

We would like to use a OpenBSD machine as a gateway to the public internet in a rather restrictive setting (see appendix A). Unfortunately the network security office of our group believes strongly that "at least a stinger (anno.: name changed for antispam  purposes)" is necessary to keep the security at an acceptable level. I have heard similar statements from a HAIRWAXO (anno.: dito) consultant (appr.: "the solaris TCP/IP stack is not so good"). A stinger (anno.: dito) consultant told me that he thinks that my packet filter is sufficient but that the OS is inferior to the stinger (see above) OS because even if you break one module the others stay safe
(I do not know how I should understand that; maybe they use something
like single capsuled processes for each module (but if you could tell wrongfully a buggy "ipfw module" that a packet is okay the capsules would be of no use)).

I would like to know if there is a reasonable propability to break through the TCP/IP/IPFW construction in a OpenBSD 3.2 box
(experiences, histrionic reports).

Thanks.

Bye
Arne

---
mediaBase GmbH, Maria-Probst-St. 22, 80939 Muenchen, BY, FR Germany
Arne Woerner, network administrator (CO: rothe@mediabase-gmbh.de) (tz: Zulu+1h)
phone +49 89 3715977-1 / +49 179 5410106 - fax +49 89 3715977-2

appendix A: setting
pubINet<->DSL line<->PPPoe<->ipfw<->SSH client(!)<->our App