[CentOS] Optimizing CentOS for gigabit firewall
Timo Schoeler
timo.schoeler at riscworks.net
Fri Dec 18 21:14:12 UTC 2009
On 12/18/2009 10:05 PM, Peter Serwe wrote:
> I don't know jack about IPSet, but I know enabling or disabling hosts in
> bare stock PF without the gui in front of it is about as easy as it gets.
>
> The PF configuration file syntax was designed from the ground up to be sane,
> unlike iptables, which typically needs some decent sysadmin scripting or
> using fwbuilder to make any good sense of. There is no finer opensource
> firewall product on the market, in terms of performance, ease of
> configuration and use, and other issues.
>
> If you're not opposed to vi, for what you're looking to accomplish, moving
> to BSD and pf is a no-brainer. PF can definitely handle a list of 500 hosts
> and anything else you've mentioned. It's absolutely capable, easier, and in
> general, for anything that involves packet filtering at all, about as good
> as it gets.
>
> Peter
Just as recommendation: Besides OpenBSD's really phantastis
documentation, there are some books that are really great:
The Book of PF: A No-Nonsense Guide to the BSD Firewall (by Peter N. M.
Hansteen)
The Openbsd Pf Packet Filter Book (by Jeremy C. Reed)
HTH,
Timo
More information about the CentOS
mailing list