I really like syntax of pf(4). People were posting examples where they reduced
around 300 lines of rules in IPfilter to about 60 lines including comments and
new lines in pf(4).
Eg. Antispoof is very easy with 'antispoof quick for { lo em0 }'. Manipulation
with firewall on-line is easy with
http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
and protection against bruteforcers is easy thanks to tables and overload
rules, scrub of incomming packets is another magic
# scrub incoming packets
match in all scrub (no-df)
what's very important is availability of lists, macros and tables so you don't
need to write zillions of lines to provide connection on certain
ports/IPs/nets/interfaces and so on and so on. Once you start with pf(4) then
you miss its simplicity and easy of configuration when you must build firewall
on something different.
--
This message posted from opensolaris.org
_______________________________________________
opensolaris-help mailing list
opensolaris-help@opensolaris.org
