On Friday 18 December 2009 16:05, Peter Serwe wrote:
I don't know jack about IPSet, but I know enabling or disabling hosts in bare stock PF without the gui in front of it is about as easy as it gets.
IPTALES is the same;
iptables -A [INPUT/FORWARD] -d <ip address> -j [REJECT/DROP]
The PF configuration file syntax was designed from the ground up to be sane, unlike iptables, which typically needs some decent sysadmin scripting or using fwbuilder to make any good sense of.
I beg to differ here. IPTABLES is not that hard when you understand it. Like anything else, once you know what you are doing it isn't that hard. And no, I have never used any GUI program to configure my firewalls.
There is no finer opensource firewall product on the market, in terms of performance, ease of configuration and use, and other issues.
This is all subjective to the user. I would say that PF is a nightmare and IPTABLES is easier to use.
If you're not opposed to vi, for what you're looking to accomplish, moving to BSD and pf is a no-brainer. PF can definitely handle a list of 500 hosts and anything else you've mentioned. It's absolutely capable, easier, and in general, for anything that involves packet filtering at all, about as good as it gets.
Again this is all subjective to the user.