Network boundary security. No annual subscription. No proprietary lock-in. ∵ BSD is better.
If you have a SonicWall or WatchGuard appliance, there is a question worth asking: is the subscription current? Not whether you meant it to be — whether it actually is. When a SonicWall subscription lapses, the device continues passing traffic. The green lights stay on. The dashboard reports normal. The threat signature databases quietly freeze. The firmware stops updating. You believe you have active protection. You do not.
This is documented behaviour in SonicWall's own support materials.
If you have an ISP-supplied router — BT Smart Hub, EE router, Virgin Media Hub — you have a NAT box and a Wi-Fi access point. You do not have a firewall in any meaningful sense. The Transparent Open Firewall replaces either of these with a correctly engineered network boundary that does not require an annual payment to stay secure.
It sits where your current router sits — between your broadband connection and your office network — and handles everything a network boundary device should: stateful packet filtering, DHCP, DNS with DNSSEC validation, NTP, and optionally BGP routing.
Every component comes from the OpenBSD base system. No third-party packages required for core operation. No web management interface. No proprietary modules. No vendor cloud services in the data path.
The name means what it says. The entire configuration is plain text, kept under version control, readable by any IT-competent engineer without vendor training or proprietary tools. You could hand it to your insurer or a compliance auditor this afternoon.
The commercial firewall market has converged on a web GUI as the primary management interface. This is also the single most consequential attack surface on a device whose entire purpose is to be the hardest thing on your network to compromise.
CVE-2024-3400 — the CVSS 10.0 Palo Alto vulnerability exploited by state-sponsored actors in 2024 — was a command injection through exactly this surface: application-layer parsing with elevated privilege on an internet-facing device. Fortinet's management interface has produced the same class of vulnerability repeatedly. So has SonicWall's.
That is not a marketing claim. It is a documented, auditable fact that the OpenBSD project maintains publicly.
Fortinet FortiOS has 23 confirmed entries in CISA's Known Exploited Vulnerabilities catalogue as of April 2026 — vulnerabilities that were not merely disclosed but actively exploited against real organisations. Palo Alto PAN-OS accumulated a CVSS 10.0 command injection vulnerability in 2024. SonicWall has had authentication bypass vulnerabilities exploited in the wild. These are not the anomalies — they are the pattern.
Two remote exploits in the default install in thirty years is not the same category of thing. It is the result of a development culture that treats security as the primary design constraint: continuous code audit, privilege separation on every daemon, W^X enforcement throughout, ASLR, and a project-wide assumption that competent adversaries are reading the source code.
Read the full CVE comparison: Next-Gen Firewalls: When Mathematical Reality Meets Vendor Theatre →
The ruleset explicitly permits only what is required. Everything else is blocked and logged. RFC 1918 and bogon ingress filtering. Rate limiting on permitted inbound services. A note for the technically informed: pf is also the packet filter used by pfSense and OPNsense — but those are web GUI products that happen to use pf underneath. The Transparent Open Firewall runs pf on OpenBSD, configured directly in plain text, with no web server, no PHP, no abstraction layer.
Unregistered devices cannot reach your file server or backup service, regardless of how they configure their IP address. The lease table updates in real time on every DHCP event — no polling, no lag window.
DNS queries never leave the appliance to an ISP resolver. No third-party DNS telemetry. DNSSEC validation works correctly at all response sizes. Known-bad domains blocked at the resolver via community-maintained public blocklists, applied and updated throughout the service.
Authoritative time to every device on your network. Outbound connections to Apple and Microsoft's time servers — and the associated telemetry — are intercepted and answered locally. Time synchronisation is a security primitive.
Route origin validation ensuring that traffic to and from your network travels only over cryptographically verified paths. AS-set geoblocking available. Dual-WAN support. This is a feature enterprise teams procure under five-figure contracts — bgpd is in the OpenBSD base system.
A prospect replacing a SonicWall will notice the absence of deep packet inspection (DPI) and SSL/TLS interception. This is a considered architectural decision, not an omission.
DPI requires a high-privilege process on the WAN-facing device that parses application-layer content from untrusted sources. CVE-2024-3400 was a command injection through exactly this class of code. The attack surface that DPI creates is not theoretical — it is the documented mechanism of the most serious firewall compromises of recent years.
A configuration you cannot read is a configuration you cannot audit. A configuration you cannot audit is not a security posture — it is an assumption about a security posture. The pf.conf on the Transparent Open Firewall is thirty lines or fewer for a typical SMB deployment. Any IT-competent engineer can read it in five minutes.
| Commercial UTM | Transparent Open Firewall | |
|---|---|---|
| Base OS | Hardened Linux — tens of CVEs disclosed annually | OpenBSD — two remote exploits in thirty years |
| CISA KEV entries | Fortinet: 23. SonicWall: highest of any SMB vendor. | Zero |
| Configuration format | Web GUI, proprietary export | Plain text under version control |
| Annual subscription | Yes — protection degrades on lapse | No — BSD licence, permanent |
| Management interface | HTTPS web app — active RCE attack surface | SSH only, key-based, source-IP restricted |
| DNS filtering | Separate subscription module | Included |
| BGP / RPKI | Five-figure enterprise contract | bgpd in base system — included |
| Hardware | Proprietary appliance | Commodity N150 — UK replacement within 24 hours |
| Auditability | Trust the vendor | Any IT-competent engineer can read it |
| Component | Cost |
|---|---|
| Hardware (N150, 8 GB RAM, 128 GB NVMe) | ~£275–295 inc. VAT (supplied) or client-purchased to specification |
| Software licensing | £0 — OpenBSD BSD licence, permanent |
| Annual subscription to vendor | £0 — none required |
| Installation | Quoted per site |
| Managed service fee | Quoted per site, monthly |
| Hardware replacement configuration | Included in managed service |
For context: a SonicWall TZ370 with Essential Protection renewal costs approximately £300–350 per year in software subscription alone — and that protection degrades silently if a renewal lapses.
pf ruleset configuration · DHCP static assignment · unbound with DNSSEC · ntpd against UK NTP pool · SSH management, key-based, source-IP restricted · OpenBSD errata patching (critical within 24 hours) · Community blocklist updates · WAN connectivity and service health monitoring · Monthly status report · Allowlist requests within one business day · Hardware replacement configuration included.
Not included: ISP connection or modem; Wi-Fi access point management in coworking deployments; endpoint security on client machines.
A scoping conversation takes thirty minutes. No obligation. No sales pressure.
Request a conversation