you compare apples with oranges here. The “meltdown/spectre patches” come in dozens, and different combinations mitigate different variants of those vulnerabilities. Some are comparable across Linux and BSD, some are not.
At IPFire, we eventually disabled SMT on machines affected by MDS (see here for further details), which causes massive performance issues. Except for OpenBSD, I am not aware of any *nix operating system doing the same by default.
Well, could you provide more details on the CPU vulnerability mitigations enabled on that machine by OPNSense and IPFire?
As it is already painfully obvious, performance and security are a trade-off, especially when it comes to CPU vulnerabilities. We are currently working on Kernel 5.9, which might provide better performance, but simply putting “X is faster than Y” is not detailed enough to be a valid comparison.
Thanks, and best regards,