Date: Tue, 20 Nov 2001 18:06:40 +0100 From: Axel Scheepers <axel@axel.truedestiny.net> To: Walter Hop <walter@binity.com> Cc: Axel Scheepers <axel@axel.truedestiny.net>, Chris Appleton <cappleton@emailtopia.com>, freebsd-questions@freebsd.org Subject: Re: NAT security Message-ID: <20011120180640.B87336@mars.thuis> In-Reply-To: <1989602727.20011120023836@binity.com>; from walter@binity.com on Tue, Nov 20, 2001 at 02:38:36AM %2B0100 References: <917DCA667947D4118E2100AA00BAEA6E1ABC06@vonneumann.emailtopia.com> <83141508858.20011119162408@binity.com> <20011119235600.A1904@mars.thuis> <1989602727.20011120023836@binity.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 20, 2001 at 02:38:36AM +0100, Walter Hop wrote:
> Thanks for the info! I never did care to look at it. Do you think the
> efficiency gain is noticable for a node with relatively few firewalling
> rules as well?
>
Yes I do; since the packets don't need to be copied from kernel to userland
there's already a speedup. This is more traffic depending then rule depending
since every packet needs to be copied when you use ipfw.
With a clever ruleset (use quick to simulate sort of ipfw behavior) the use
of ipfilter does improve speed, i.e. at home my 486 box went from a average
load of 0.35-0.40 (using ipfw, at peaks 1.00) to an average of 0.1, just by
changing from ipfw/natd to ipfilter/ipnat.
I should give it try if I were you; It won't harm anyone and if you're not
satisfied use ipfw again. :)
--
Axel Scheepers
UNIX System Administrator
email: axel@axel.truedestiny.net
ascheepers@vianetworks.nl
http://axel.truedestiny.net/~axel
------------------------------------------
There are three kinds of lies: Lies, Damn Lies, and Statistics.
-- Disraeli
------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011120180640.B87336>