features in PF that are ! in iptables?

yocompia · 10-02-2003, 10:49 AM

i've been reading the docs on setting up the packet filter on an OBSD system, but i can't tell yet if PF has added functionality over iptables. if you know of any filtering abilities that are unique to OBSD, i would like to hear about them.

thx for reading,
y-p

whistles · 10-02-2003, 05:58 PM

I believe that pf allows for stateful filtering of all protocols where iptables does not,or needs patching to do full stateful filtering?? I do know that the syntax is way way easier to use ,as it is almost straight english. http://www.benzedrine.cx/pf.html is a very good source for pf info

yocompia · 10-03-2003, 01:18 AM

i am to understand that linux can do stateful filtering, but i'm not certain. the more i read about PF, the more i prefer its syntax and setup to that of iptables. time to go back to the docs and get this thing configured...

chort · 10-03-2003, 11:27 AM

Well I haven't looked at iptables too closely, but I do know that pf has an ability to allow only authenticated connections with authpf. I'm not aware of a similar function in iptables.

The main advantage of pf as far as I'm concerned is the syntax and keywords are actually readable. iptables is the worst and most obscure command line packet filtering I've seen as far as usability. Oh, also pf is supposedly the fastest of the open source packet filters, but I cannot confirm that.

Last advantage, you don't need multiple confusing chains of rules operating on the same packet. You just write out the commands to do exactly what you want and you don't have to worry about whether it's in the right chain, whether a chain behind it will block the packet, etc.