On Wednesday 27 December 2006 07:51, Robert Spangler wrote: > On Tue December 26 2006 19:43, Peter Serwe wrote: > > I know this is a CentOS/Linux list, but I seriously wish they would take > > a cue > > from *BSD and start integrating pf with modern Linux distributions. > > What advantages does pf hold over iptables? > And please don't start of with it is more secure BS. Stateful firewall failover with pfsync? A rule application program (pfctl) that checks syntax of rules before applying them to make sure there are no errors, and also dynamically re-orders your rules for best performance? Built in dynamic rules based on SSH logins with authpf? Packet logging to tcpdump compatible logfiles? There's a few. Some might have iptables counterparts I don't know of, but these are a few of the benefits I've been enjoying lately on some OpenBSD firewall boxes, and they are all succeintly documented with examples in the man pages (it's a real culture shock using BSD when used to linux. The man pages actually adequately explain complex programs, and are complete). I've been meaning to test the firewall failover with the NAT load balancing features to see how well it performs WRT LVS. From what I hear I might expect a bit better performance and/or scalability out of LVS, but the ease of setup and configuration of OpenBSD and pf may trump that if it's not a large gap (and it isn't required to scale too much). The VPN program they created (isakmpd) works well and allows for stateful failover with sasyncd, and I believe has been successfully ported to linux (sans sasyncd I imagine). I would think porting pf would be much harder, but one of it's core features (stateful failover) is something that iptables has failed to implement for quite a while now, and the project that was trying to do it (ctsync) was dead in the water last time I checked. -- - Kevan Benson - A-1 Networks