Chris Dukes <pak...@pr.neotoma.org> writes: > Better metrics are "How hard is it to read my ruleset?" > "How many nasty side effects can I expect while reloading a tweak of my > ruleset?" "What's the signal to noise ratio when I ask for help fixing > my rule set?"
Certainly both the first and for the second one, there's an angle that iptables users tend to forget or gloss over: With iptables you actually risk running into weird side effects since your rule set load is a shell script that loads rules incrementally and you can never really be sure what's what unless the first action in your loading script is to flush all existing rules, which of course runs a risk of both killing connections and leaving your network wide open until your block rules are in place. > I think the following from Rusty Russell does an excellent summary > > http://ozlabs.org/~rusty/index.cgi/tech/2006-08-15.html Yes, it's one of the better summaries by a Linux person, actually a quite sane one. But note the date, a lot has happened on the PF side of the fence since then, not least performance-wise. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
