The syntax is not a problem. The problem is in the performance. I suppose that if I configure OpenBSD to process the in/out packets only to layer 2 the performance will be much more than linux with iptables. >> I don't know jack about IPSet, but I know enabling or disabling hosts in >> bare stock PF without the gui in front of it is about as easy as it gets. > >IPTALES is the same; > >iptables -A [INPUT/FORWARD] -d -j [REJECT/DROP] > >> The PF configuration file syntax was designed from the ground up to be >> sane, unlike iptables, which typically needs some decent sysadmin scripting >> or using fwbuilder to make any good sense of. > >I beg to differ here. IPTABLES is not that hard when you understand it. Like >anything else, once you know what you are doing it isn't that hard. And no, >I have never used any GUI program to configure my firewalls. > >> There is no finer opensource firewall product on the market, in terms of >> performance, ease of configuration and use, and other issues. > >This is all subjective to the user. I would say that PF is a nightmare and >IPTABLES is easier to use. > >> If you're not opposed to vi, for what you're looking to accomplish, moving >> to BSD and pf is a no-brainer. PF can definitely handle a list of 500 >> hosts and anything else you've mentioned. It's absolutely capable, easier, >> and in general, for anything that involves packet filtering at all, about >> as good as it gets. > >Again this is all subjective to the user. > > >-- > >Regards >Robert > >Linux User #296285 >http://counter.li.org >_______________________________________________ >CentOS mailing list >CentOS at centos.org >http://lists.centos.org/mailman/listinfo/centos > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20091219/d01fe900/attachment-0005.html>