FreeBSD has a great firewalling system, if you want to use bsd to do something I would reccomend it.
However I don't really see the problem with linux and the 2.4.x series.If you want to have a firewall up and running with linux in about 30 minutes you can just use shorewall. Really easy to configure and it is highly extensive, proxy arp, portforwarding, SNAT, DNAT, traffic shaping, reg ex support (I haven't used this but I hear its possible) and all sorts of stuff.
Also: I heard through the grapevine that OpenBSD has a remote root holes in its tcp stack (but who the fuck am i?).
However I don't really see the problem with linux and the 2.4.x series.
The problem is, after they made me rewrite my rules for the third time, I said "fuck this, never again."
What about the kernel option that allows for ipmasqadmin/ipchains compatibility?I haven't used them but I assume that would allow you to use your old rulesets with the "new" netfilter.
Have you tried that?
If you have to rewrite them again (for freebsd or your other choices) why not just use a cisco router?
I mean it's time or money right?
It all relates back to your quote of "Linux is only free if your time is worth nothing."
I second the shorewall recommendation. You write your firewall terms in a higher-level config file and it handles the details.
sadly i think i know the guy with the glitter afro wig. was the wig orange? the colo i work at is located at 555 Howard St...i don't know exactly united layer is but maybe we can help.
Use `ipf -Fs` to flush the state table. `ipf -Fa` might also help. You may also wish to restart ipf with something along the lines of `ifconfig fxp1 down; ipf -D; ipf -E; ipf -Fa -f /etc/ipf.conf; ifconfig fxp1` (assuming fxp1 is your outside interface.)
Alternately, with the source tree you have around, you can modify sys/netinet/ip_state.h (assuming OpenBSD hasn't buggered up the includes) IPSTATE_SIZE and IPSTATE_MAX to be larger. (Note that they have both be prime numbers, or else the hashing tables get hosed.)
Unfortunately, 'ipf -Fs' won't cut it. He's dealing with an overload of established connections, so he'd need to give it an 'ipf -FS'. That would also manage to roach the state he actually has, triggering alarms, etc., and generally causing hair loss.
The good news, though, is that Darren made a concession to user friendliness by letting you define those variables instead of making you edit the source. Wheee!
Of course, that still means compiling on a wheezing pentium of uncertain lineage because of some silly religious objection making this another sysctl knob. Fortunately, there are beefier net and freebsd machines available.