[CentOS] Optimizing CentOS for gigabit firewall

Fri Dec 18 22:40:20 UTC 2009
Robert Spangler <mlists at zoominternet.net>

On Friday 18 December 2009 16:05, Peter Serwe wrote:

>  I don't know jack about IPSet, but I know enabling or disabling hosts in
>  bare stock PF without the gui in front of it is about as easy as it gets.

IPTALES is the same;

iptables -A [INPUT/FORWARD] -d <ip address> -j [REJECT/DROP]

>  The PF configuration file syntax was designed from the ground up to be
> sane, unlike iptables, which typically needs some decent sysadmin scripting
> or using fwbuilder to make any good sense of.

I beg to differ here.  IPTABLES is not that hard when you understand it.  Like 
anything else, once you know what you are doing it isn't that hard.  And no, 
I have never used any GUI program to configure my firewalls.

> There is no finer opensource firewall product on the market, in terms of 
> performance, ease of  configuration and use, and other issues.

This is all subjective to the user.  I would say that PF is a nightmare and 
IPTABLES is easier to use.

>  If you're not opposed to vi, for what you're looking to accomplish, moving
>  to BSD and pf is a no-brainer.  PF can definitely handle a list of 500
> hosts and anything else you've mentioned.  It's absolutely capable, easier,
> and in general, for anything that involves packet filtering at all, about
> as good as it gets.

Again this is all subjective to the user.



Linux User #296285