A few questions for the BSD users. All you linux losers just delete this, haha :) (http://www.forbes.com/intelligentinfrastructure/2005/06/16/linux-bsd-unix-cz_dl_0616theo.html)
We use iptables a lot. I was talking with one of my student interns, who has a preference for BSD, and i (naively) told him 'sure, pf can do anything iptables can do'. A few things we ran into: How do you block by mac address in pf? A layer 3, not in the bridge utils (at layer 2). Just seems more convenient to do it in pf. In iptables you can MARK packets, and make decisions based on the mark later in the ruleset. Possible in pf? In iptables, you can create new chains and jump to those chains very early in the ruleset, significantly reducing the number or linear rule traversals. Does pf have the concept of chains? ray
