On 12/18/2009 10:05 PM, Peter Serwe wrote: > I don't know jack about IPSet, but I know enabling or disabling hosts in > bare stock PF without the gui in front of it is about as easy as it gets. > > The PF configuration file syntax was designed from the ground up to be sane, > unlike iptables, which typically needs some decent sysadmin scripting or > using fwbuilder to make any good sense of. There is no finer opensource > firewall product on the market, in terms of performance, ease of > configuration and use, and other issues. > > If you're not opposed to vi, for what you're looking to accomplish, moving > to BSD and pf is a no-brainer. PF can definitely handle a list of 500 hosts > and anything else you've mentioned. It's absolutely capable, easier, and in > general, for anything that involves packet filtering at all, about as good > as it gets. > > Peter Just as recommendation: Besides OpenBSD's really phantastis documentation, there are some books that are really great: The Book of PF: A No-Nonsense Guide to the BSD Firewall (by Peter N. M. Hansteen) The Openbsd Pf Packet Filter Book (by Jeremy C. Reed) HTH, Timo