On 12/18/2009 10:05 PM, Peter Serwe wrote:
I don't know jack about IPSet, but I know enabling or disabling hosts in bare stock PF without the gui in front of it is about as easy as it gets.
The PF configuration file syntax was designed from the ground up to be sane, unlike iptables, which typically needs some decent sysadmin scripting or using fwbuilder to make any good sense of. There is no finer opensource firewall product on the market, in terms of performance, ease of configuration and use, and other issues.
If you're not opposed to vi, for what you're looking to accomplish, moving to BSD and pf is a no-brainer. PF can definitely handle a list of 500 hosts and anything else you've mentioned. It's absolutely capable, easier, and in general, for anything that involves packet filtering at all, about as good as it gets.
Peter
Just as recommendation: Besides OpenBSD's really phantastis documentation, there are some books that are really great:
The Book of PF: A No-Nonsense Guide to the BSD Firewall (by Peter N. M. Hansteen)
The Openbsd Pf Packet Filter Book (by Jeremy C. Reed)
HTH,
Timo