Date: Fri, 12 Oct 2001 20:39:38 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: "Thomas T. Veldhouse" <veldy@veldy.net> Cc: David Kelly <dkelly@hiwaay.net>, Alfatrion <alfatrion@cybertron.tmfweb.nl>, "Maine LOA List Admin (Brent Bailey)" <brentb@loa.com>, "Hartmann, O." <ohartman@klima.physik.uni-mainz.de>, freebsd-stable@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: IPFW or IPFILTER? Message-ID: <20011012203938.E6274@blossom.cjclark.org> In-Reply-To: <017101c15349$4a413530$3028680a@tgt.com>; from veldy@veldy.net on Fri, Oct 12, 2001 at 01:11:17PM -0500 References: <20011012154307.O52936-100000@klima.physik.uni-mainz.de> <003601c15328$db264480$24b4a8c0@pretorian> <3BC700CE.8000201@cybertron.tmfweb.nl> <010001c15331$23f1da00$3028680a@tgt.com> <20011012130628.A11301@grumpy.dyndns.org> <017101c15349$4a413530$3028680a@tgt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 12, 2001 at 01:11:17PM -0500, Thomas T. Veldhouse wrote:
> FTP works in passive and active mode using IPNat.
>
> map dc1 192.168.0.0/24 -> www.xxx.yyy.zzz/32 proxy port ftp ftp/tcp
> map dc1 192.168.0.0/24 -> www.xxx.yyy.zzz/32 portmap tcp/udp 1025:60000
Except when the ftp proxy is panicing the kernel. When non-ftp data
was passed over port 21, up until recently, it could easily crash your
system. One of the nice things about natd(8) is that it takes that
kind of stuff out of the kernel so that kind of failure is not so
dramatic. One of the problems with natd(8) is that there is a fair
performance penalty for talking things out to userspace and back.
Both ipf(8) and ipfw(8) have pros and cons.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011012203938.E6274>