On Oct 23, 2010, at 12:33 PM, Jean-Francois wrote:
helping
good
pages
I agree with all of that.
Who cares how fast your firewall is if it's compromised? This is not to say
PF/OpenBSD is slow, but my point is who wants a Ferrari that blows up
unexpectedly when you can have a perfectly reasonable car that never blows
up?
Security has many facets, but the two I deem most important are: How safe is
something from external control and how likely am I to fuck it up allowing
someone to take advantage of my system? I can't do much about the former,
except to trust people who are smarter than me and have more experience than
I, and the latter I can only select that which I believe I won't fuck up.
The difference between PF maintenance and IPTables maintenance, in my
experience, is significant. PF can seem a little harder at first, because it
requires a little bit of thought (at least that's how I felt grokking the new
PF match rules. In the beginning of my PF experience, it was trivial to move
from ipf to pf.). But once you get it, it's a richer toolset of options.
IPTables is just a freakin' huge, long blithering list of chained crap. It
drives me nuts messing with consumer firewalls that run IPTables. Writing PF
rules is like telling someone "go to the store and get milk", and you might
have to explain that once. Writing IPTables rules is like telling someone
"stand up". Then "Walk to door". Then "Open door". Keep going until you get
to "put milk in fridge". Oh, you might need to explain how to walk, too.
Sean
