So basically, you're saying you'd want to allow or disallow traffic based on mac address? Seems like you could put mac filters on a number switches, Cisco being the most easily documented by Mr. Google. Be a lot faster than any kernel, and a total waste of BSD. If you can do it on Linux via some other mechanism, go for it. The fact is, PF will do line rate layer 3 packet filtering if you've got the hardware to support it. Try and and see. Peter On Fri, Dec 18, 2009 at 10:49 PM, sadas sadas <mailrc at abv.bg> wrote: > The syntax is not a problem. The problem is in the performance. I suppose > that if I configure OpenBSD to process the in/out packets only to layer 2 > the performance will be much more than linux with iptables. > > > > >> I don't know jack about IPSet, but I know enabling or disabling hosts in > >> bare stock PF without the gui in front of it is about as easy as it > gets. > > > >IPTALES is the same; > > > >iptables -A [INPUT/FORWARD] -d -j [REJECT/DROP] > > > > >> The PF configuration file syntax was designed from the ground up to be > >> sane, unlike iptables, which typically needs some decent sysadmin > scripting > >> or using fwbuilder to make any good sense of. > > > >I beg to differ here. IPTABLES is not that hard when you understand it. > Like > >anything else, once you know what you are doing it isn't that hard. And > no, > >I have never used any GUI program to configure my firewalls. > > > >> There is no finer opensource firewall product on the market, in terms of > > >> performance, ease of configuration and use, and other issues. > > > >This is all subjective to the user. I would say that PF is a nightmare and > > >IPTABLES is easier to use. > > > >> If you're not opposed to vi, for what you're looking to accomplish, > moving > >> to BSD and pf is a no-brainer. PF can definitely handle a list of 500 > >> hosts and anything else you've mentioned. It's absolutely capable, > easier, > >> and in general, for anything that involves packet filtering at all, > about > >> as good as it gets. > > > >Again this is all subjective to the user. > > > > > >-- > > > >Regards > >Robert > > > >Linux User #296285 > >http://counter.li.org > >_______________________________________________ > >CentOS mailing list > >CentOS at centos.org > >http://lists.centos.org/mailman/listinfo/centos > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > > -- Peter Serwe http://truthlightway.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20091218/de35200c/attachment-0005.html>