So basically, you're saying you'd want to allow or disallow traffic based on mac address? Seems like you could put mac filters on a number switches, Cisco being the most easily documented by Mr. Google.
Be a lot faster than any kernel, and a total waste of BSD. If you can do it on Linux via some other mechanism, go for it.
The fact is, PF will do line rate layer 3 packet filtering if you've got the hardware to support it. Try and and see.
Peter
On Fri, Dec 18, 2009 at 10:49 PM, sadas sadas mailrc@abv.bg wrote:
The syntax is not a problem. The problem is in the performance. I suppose that if I configure OpenBSD to process the in/out packets only to layer 2 the performance will be much more than linux with iptables.
I don't know jack about IPSet, but I know enabling or disabling hosts in bare stock PF without the gui in front of it is about as easy as it
gets.
IPTALES is the same;
iptables -A [INPUT/FORWARD] -d -j [REJECT/DROP]
The PF configuration file syntax was designed from the ground up to be sane, unlike iptables, which typically needs some decent sysadmin
scripting
or using fwbuilder to make any good sense of.
I beg to differ here. IPTABLES is not that hard when you understand it.
Like
anything else, once you know what you are doing it isn't that hard. And
no,
I have never used any GUI program to configure my firewalls.
There is no finer opensource firewall product on the market, in terms of
performance, ease of configuration and use, and other issues.
This is all subjective to the user. I would say that PF is a nightmare and
IPTABLES is easier to use.
If you're not opposed to vi, for what you're looking to accomplish,
moving
to BSD and pf is a no-brainer. PF can definitely handle a list of 500 hosts and anything else you've mentioned. It's absolutely capable,
easier,
and in general, for anything that involves packet filtering at all,
about
as good as it gets.
Again this is all subjective to the user.
--
Regards Robert
Linux User #296285 http://counter.li.org _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos