On Friday 18 December 2009 16:05, Peter Serwe wrote: > I don't know jack about IPSet, but I know enabling or disabling hosts in > bare stock PF without the gui in front of it is about as easy as it gets. IPTALES is the same; iptables -A [INPUT/FORWARD] -d <ip address> -j [REJECT/DROP] > The PF configuration file syntax was designed from the ground up to be > sane, unlike iptables, which typically needs some decent sysadmin scripting > or using fwbuilder to make any good sense of. I beg to differ here. IPTABLES is not that hard when you understand it. Like anything else, once you know what you are doing it isn't that hard. And no, I have never used any GUI program to configure my firewalls. > There is no finer opensource firewall product on the market, in terms of > performance, ease of configuration and use, and other issues. This is all subjective to the user. I would say that PF is a nightmare and IPTABLES is easier to use. > If you're not opposed to vi, for what you're looking to accomplish, moving > to BSD and pf is a no-brainer. PF can definitely handle a list of 500 > hosts and anything else you've mentioned. It's absolutely capable, easier, > and in general, for anything that involves packet filtering at all, about > as good as it gets. Again this is all subjective to the user. -- Regards Robert Linux User #296285 http://counter.li.org