Chris Dukes <pakrat@pr.neotoma.org> writes:

quoted text
> Better metrics are "How hard is it to read my ruleset?"
> "How many nasty side effects can I expect while reloading a tweak of my
> ruleset?" "What's the signal to noise ratio when I ask for help fixing
> my rule set?"

Certainly both the first and for the second one, there's an angle that
iptables users tend to forget or gloss over: With iptables you
actually risk running into weird side effects since your rule set load
is a shell script that loads rules incrementally and you can never
really be sure what's what unless the first action in your loading
script is to flush all existing rules, which of course runs a risk of
both killing connections and leaving your network wide open until your
block rules are in place.

quoted text
> I think the following from Rusty Russell does an excellent summary
>
> http://ozlabs.org/~rusty/index.cgi/tech/2006-08-15.html

Yes, it's one of the better summaries by a Linux person, actually a
quite sane one.  But note the date, a lot has happened on the PF side
of the fence since then, not least performance-wise.

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.