<HTML><BODY>
The syntax is not a problem. The problem is in the performance. I suppose that if I configure OpenBSD to process the in/out packets only to layer 2 the performance will be much more than linux with iptables. <br><br><br><mlists@zoominternet.net><centos@centos.org><br> >> I don't know jack about IPSet, but I know enabling or disabling hosts in<br> >> bare stock PF without the gui in front of it is about as easy as it gets.<br> ><br> >IPTALES is the same;<br> ><br> >iptables -A [INPUT/FORWARD] -d -j [REJECT/DROP]<br> ><br> >> The PF configuration file syntax was designed from the ground up to be<br> >> sane, unlike iptables, which typically needs some decent sysadmin scripting<br> >> or using fwbuilder to make any good sense of.<br> ><br> >I beg to differ here. IPTABLES is not that hard when you understand it. Like <br> >anything else, once you know what you are doing it isn't that hard. And no, <br> >I have never used any GUI program to configure my firewalls.<br> ><br> >> There is no finer opensource firewall product on the market, in terms of <br> >> performance, ease of configuration and use, and other issues.<br> ><br> >This is all subjective to the user. I would say that PF is a nightmare and <br> >IPTABLES is easier to use.<br> ><br> >> If you're not opposed to vi, for what you're looking to accomplish, moving<br> >> to BSD and pf is a no-brainer. PF can definitely handle a list of 500<br> >> hosts and anything else you've mentioned. It's absolutely capable, easier,<br> >> and in general, for anything that involves packet filtering at all, about<br> >> as good as it gets.<br> ><br> >Again this is all subjective to the user.<br> ><br> ><br> >-- <br> ><br> >Regards<br> >Robert<br> ><br> >Linux User #296285<br> >http://counter.li.org<br> >_______________________________________________<br> >CentOS mailing list<br> >CentOS@centos.org<br> >http://lists.centos.org/mailman/listinfo/centos<br> > </centos@centos.org></mlists@zoominternet.net></BODY></HTML>