Re: Optimizing CentOS for gigabit firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



So basically, you're saying you'd want to allow or disallow traffic based on mac address?  Seems like you could put mac filters on a number switches, Cisco being the most easily documented by Mr. Google.

Be a lot faster than any kernel, and a total waste of BSD.  If you can do it on Linux via some other mechanism, go for it.

The fact is, PF will do line rate layer 3 packet filtering if you've got the hardware to support it.  Try and and see.

Peter



On Fri, Dec 18, 2009 at 10:49 PM, sadas sadas <mailrc@xxxxxx> wrote:
The syntax is not a problem. The problem is in the performance. I suppose that if I configure OpenBSD to process the in/out packets only to layer 2 the performance will be much more than linux with iptables.



>> I don't know jack about IPSet, but I know enabling or disabling hosts in
>> bare stock PF without the gui in front of it is about as easy as it gets.
>
>IPTALES is the same;
>
>iptables -A [INPUT/FORWARD] -d -j [REJECT/DROP]

>
>> The PF configuration file syntax was designed from the ground up to be
>> sane, unlike iptables, which typically needs some decent sysadmin scripting
>> or using fwbuilder to make any good sense of.
>
>I beg to differ here. IPTABLES is not that hard when you understand it. Like
>anything else, once you know what you are doing it isn't that hard. And no,
>I have never used any GUI program to configure my firewalls.
>
>> There is no finer opensource firewall product on the market, in terms of
>> performance, ease of configuration and use, and other issues.
>
>This is all subjective to the user. I would say that PF is a nightmare and
>IPTABLES is easier to use.
>
>> If you're not opposed to vi, for what you're looking to accomplish, moving
>> to BSD and pf is a no-brainer. PF can definitely handle a list of 500
>> hosts and anything else you've mentioned. It's absolutely capable, easier,
>> and in general, for anything that involves packet filtering at all, about
>> as good as it gets.
>
>Again this is all subjective to the user.
>
>
>--
>
>Regards
>Robert
>
>Linux User #296285
>http://counter.li.org
>_______________________________________________
>CentOS mailing list
>CentOS@xxxxxxxxxx
>http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




--
Peter Serwe
http://truthlightway.blogspot.com/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux