Linux – Iptables: Blocking outbound traffic except to certain IP addresses

iptables is the userland tool for manipulating netfilter. netfilter is the code in the kernel that handles the packet filtering. Contextually, changing the userland tool would only change your experience not the way the filtering operates.

I have never hit a limitation in Linux with the quantity of rules specified and I've been using Linux for firewalling since the userland tool was ipfwadm. It's notable that Netfilter wasn't introduced to Linux until the 2.4.x kernel and ipfwadm was the interface for ipfw not netfilter. OpenBSD is great for a firewall if you can continue using it in your environment.

The limitation will likely be a physical limitation based on the system resources, with a focus on the quantity of RAM available. If you encounter issues, you may have to tune Linux's max ip connection settings in the kernel. You're unlikely to encounter either of these situations on modern hardware with a modern Linux distribution.

If you would like to discuss the finer details of netfilter, you might be better off furthering this dialog on the netfilter mailing lists, as they will be the subject matter experts.

If this does not answer your question, please feel free to clarify and I will be happy to revise it.

Netfilter user hits memory limitation testing netfilter limits

For 1) and 2) I think you should look into OpenDNS.

For 3) and 4) look into snort's inline mode or you can try PacketFence which I recommend if you have network and linux experience (it does way more than only block p2p).