Date: Sat, 19 Oct 2002 19:24:10 +0300 (EEST) From: BigBrother <bigbrother@bonbon.net> To: questions@freebsd.org Subject: IPNAT/NATD issues-questions.. Message-ID: <20021019191855.G212-100000@bigb3server.bbcluster.gr>
next in thread | raw e-mail | index | archive | help
Dear, I have a couple of issues regarding the IPNAT or NATD of freebsd. In case that you dont have enough time, skip the next paragraph [description] and go to questions section. -=Description of problem=- I was using NATD for more than 3 years with no problem. By debbuging a problem in my IRC Fserve I noticed that connections originating from my router [that run NATD] were using very high port ranges, even though I had specifically configured the IRC fserve to be in a different lower range. When I stop using NATD and changed to IPNAT the problem dissaper and every client on my router allocated a port in his specified range. This was also solved my problem with DCC+RESUME. Because the NATD was changing the originating ports, the dcc transfer resume was not able to happen. With IPNAT the resume of DCC transfers had no problems, because the client was using what port he had requested. I am using statefull IPFW and for this reason, I wanted an exact port range. natd config file has only the use_same_ports and use sockets options. In IPFW rules I had the first line 50 divert natd all from any to any via ed0 -=END OF DESCRIPTION of problem=- Questions --------- a) Why did NATD changed my originating ports on my router. IPNAT didn't do anything like this, and the functionality is the same [my lan can connect with no problems to net] b) when NATD was used, I could see that the process of NATD consumed a high cpu time [almost 10-20% on a P166]. Where is the cpu time of the IPNAT? c) I believe that IPNAT doesnt have the overhead of NATD. So is IPNAT suggested for slower cpu machines (??). Am I wrong in this assumption? d) In my IPFW there was the rule '50 divert natd all from any to any'. Is this correct? I mean with this rule ALL packets were forced to pass through this and then re-injected to the chain. I try to put it after some rules of the firewall but the NATD didnt worked [I tryied many places...] e) Is IPFW + IPNAT a good combination? I know that the pairs are (IPFW + NATD) and (IPF + IPNAT). What I am doing is good or not suggested [and why?] f) I have understand that the 'official' firewall for freebsd is IPFW, and ipf is just a 'contributed' software. But a lot of people suggest the use of IPF and name it as supperior firewall. Is there a comparison page/site that states the overhead of these two firewalls, or pros/cons of them? g) Why some people say that IPFW is a 'userland' application even though it has not process vissible running? Thank you very much in advance, and I really hope that my questions will be answered.... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021019191855.G212-100000>