[CentOS] creating script for init.d

Thu Dec 28 17:55:20 UTC 2006
Kevan Benson <kbenson at a-1networks.com>

On Wednesday 27 December 2006 07:51, Robert Spangler wrote:
> On Tue December 26 2006 19:43, Peter Serwe wrote:
> >  I know this is a CentOS/Linux list, but I seriously wish they would take
> >  a cue
> >  from *BSD and start integrating pf with modern Linux distributions.
> What advantages does pf hold over iptables?
> And please don't start of with it is more secure BS.

Stateful firewall failover with pfsync?

A rule application program (pfctl) that checks syntax of rules before applying 
them to make sure there are no errors, and also dynamically re-orders your 
rules for best performance?  

Built in dynamic rules based on SSH logins with authpf?

Packet logging to tcpdump compatible logfiles?

There's a few.  Some might have iptables counterparts I don't know of, but 
these are a few of the benefits I've been enjoying lately on some OpenBSD 
firewall boxes, and they are all succeintly documented with examples in the 
man pages (it's a real culture shock using BSD when used to linux.  The man 
pages actually adequately explain complex programs, and are complete).

I've been meaning to test the firewall failover with the NAT load balancing 
features to see how well it performs WRT LVS.  From what I hear I might 
expect a bit better performance and/or scalability out of LVS, but the ease 
of setup and configuration of OpenBSD and pf may trump that if it's not a 
large gap (and it isn't required to scale too much).

The VPN program they created (isakmpd) works well and allows for stateful 
failover with sasyncd, and I believe has been successfully ported to linux 
(sans sasyncd I imagine).  I would think porting pf would be much harder, but 
one of it's core features (stateful failover) is something that iptables has 
failed to implement for quite a while now, and the project that was trying to 
do it (ctsync) was dead in the water last time I checked.

- Kevan Benson
- A-1 Networks