From owner-freebsd-questions Tue Apr 3 22:20:16 2001 Delivered-To: freebsd-questions@freebsd.org Received: from c015.sfo.cp.net (c015-h006.c015.sfo.cp.net [209.228.12.120]) by hub.freebsd.org (Postfix) with SMTP id 5508F37B71C for ; Tue, 3 Apr 2001 22:20:13 -0700 (PDT) (envelope-from csumner@omnisky.com) Received: (cpmta 4310 invoked from network); 3 Apr 2001 22:20:11 -0700 Received: from halfcab.vatican5000.com (HELO CSUMNER) (207.44.238.233) by smtp.omnisky.com (209.228.12.120) with SMTP; 3 Apr 2001 22:20:11 -0700 X-Sent: 4 Apr 2001 05:20:11 GMT From: "Chuck Sumner" To: "'Kevan Olhausen'" , Subject: RE: ipchains and natd Date: Tue, 3 Apr 2001 22:20:40 -0700 Message-ID: <001201c0bcc6$fe08a5e0$c803a8c0@CSUMNER> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG ipfilter is an ipchains like implementation for freebsd and other *nix's. it is kernel based also. http://coombs.anu.edu.au/ipfilter/ is the main site and has link to great documentation, like: http://www.obfuscation.org/ipf/ i've had far better luck with ipfilter. id say its easier to configure than both ipchains and ipfw. it does everything i need and the over head is very low. ive managed to build quite a few very effective firewalls with it chuck -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Kevan Olhausen Sent: Tuesday, April 03, 2001 9:49 PM To: questions@FreeBSD.ORG Subject: ipchains and natd I've been using ipchains on Linux for our buisness's firewall so I can masquerade the connections. I recently had the opportunity to change the OS to FreeBSD 4.2 so I set it up with natd and ipfw. The problem was that as soon as there were a few simultanious connections the natd process would start getting 15%-25% CPU time when I looked at top and the connections would eventually start to get slower the more connections there were. The hardware is a Pent II 166. ipchains didn't seem to have any kind of performance hit (because it's using the kernel, I think) but natd is a separate process and it appears to be more vulnerable. Any thoughts on if this is normal and is there any ipchains-type implementation on FreeBSD? Thanks! ------- Kevan Olhausen kolhausen@windermere.com Information Technologies To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message