From owner-freebsd-questions Tue Nov 20 9: 6:49 2001 Delivered-To: freebsd-questions@freebsd.org Received: from axel.truedestiny.net (b76168.upc-b.chello.nl [212.83.76.168]) by hub.freebsd.org (Postfix) with ESMTP id 13B2437B405 for ; Tue, 20 Nov 2001 09:06:46 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by axel.truedestiny.net (Postfix) with ESMTP id 6710249A24; Tue, 20 Nov 2001 18:06:43 +0100 (CET) Received: by axel.truedestiny.net (Postfix, from userid 1000) id DF3C349A23; Tue, 20 Nov 2001 18:06:40 +0100 (CET) Date: Tue, 20 Nov 2001 18:06:40 +0100 From: Axel Scheepers To: Walter Hop Cc: Axel Scheepers , Chris Appleton , freebsd-questions@freebsd.org Subject: Re: NAT security Message-ID: <20011120180640.B87336@mars.thuis> Reply-To: Axel Scheepers References: <917DCA667947D4118E2100AA00BAEA6E1ABC06@vonneumann.emailtopia.com> <83141508858.20011119162408@binity.com> <20011119235600.A1904@mars.thuis> <1989602727.20011120023836@binity.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <1989602727.20011120023836@binity.com>; from walter@binity.com on Tue, Nov 20, 2001 at 02:38:36AM +0100 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Nov 20, 2001 at 02:38:36AM +0100, Walter Hop wrote: > Thanks for the info! I never did care to look at it. Do you think the > efficiency gain is noticable for a node with relatively few firewalling > rules as well? > Yes I do; since the packets don't need to be copied from kernel to userland there's already a speedup. This is more traffic depending then rule depending since every packet needs to be copied when you use ipfw. With a clever ruleset (use quick to simulate sort of ipfw behavior) the use of ipfilter does improve speed, i.e. at home my 486 box went from a average load of 0.35-0.40 (using ipfw, at peaks 1.00) to an average of 0.1, just by changing from ipfw/natd to ipfilter/ipnat. I should give it try if I were you; It won't harm anyone and if you're not satisfied use ipfw again. :) -- Axel Scheepers UNIX System Administrator email: axel@axel.truedestiny.net ascheepers@vianetworks.nl http://axel.truedestiny.net/~axel ------------------------------------------ There are three kinds of lies: Lies, Damn Lies, and Statistics. -- Disraeli ------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message