[CentOS] Optimizing CentOS for gigabit firewall
Robert Spangler
mlists at zoominternet.net
Fri Dec 18 22:40:20 UTC 2009
On Friday 18 December 2009 16:05, Peter Serwe wrote:
> I don't know jack about IPSet, but I know enabling or disabling hosts in
> bare stock PF without the gui in front of it is about as easy as it gets.
IPTALES is the same;
iptables -A [INPUT/FORWARD] -d <ip address> -j [REJECT/DROP]
> The PF configuration file syntax was designed from the ground up to be
> sane, unlike iptables, which typically needs some decent sysadmin scripting
> or using fwbuilder to make any good sense of.
I beg to differ here. IPTABLES is not that hard when you understand it. Like
anything else, once you know what you are doing it isn't that hard. And no,
I have never used any GUI program to configure my firewalls.
> There is no finer opensource firewall product on the market, in terms of
> performance, ease of configuration and use, and other issues.
This is all subjective to the user. I would say that PF is a nightmare and
IPTABLES is easier to use.
> If you're not opposed to vi, for what you're looking to accomplish, moving
> to BSD and pf is a no-brainer. PF can definitely handle a list of 500
> hosts and anything else you've mentioned. It's absolutely capable, easier,
> and in general, for anything that involves packet filtering at all, about
> as good as it gets.
Again this is all subjective to the user.
--
Regards
Robert
Linux User #296285
http://counter.li.org
More information about the CentOS
mailing list