From owner-freebsd-questions@FreeBSD.ORG  Wed May 21 05:55:40 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DF33037B401
	for <freebsd-questions@freebsd.org>;
	Wed, 21 May 2003 05:55:40 -0700 (PDT)
Received: from mail.gascom.ru (mail.gascom.ru [217.17.160.2])
	by mx1.FreeBSD.org (Postfix) with SMTP id 875A943F85
	for <freebsd-questions@freebsd.org>;
	Wed, 21 May 2003 05:55:39 -0700 (PDT)	(envelope-from asa@gascom.ru)
Received: (qmail 90196 invoked from network); 21 May 2003 12:44:48 -0000
Received: from asa.gascom.net.ru (HELO ?GD?U??W8??????j) (192.168.100.29)
  by mail.gascom.ru with SMTP; 21 May 2003 12:44:48 -0000
From: Sergey Akifyev <asa@gascom.ru>
To: Andras Kende <andras@kende.com>
In-Reply-To: <EGEDIDPPMCIONDEPOLNFOEDMCLAA.andras@kende.com>
References: <EGEDIDPPMCIONDEPOLNFOEDMCLAA.andras@kende.com>
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="=-6PIW8lsLHg4rmftsf6uH"
Organization: JSC Gascom
Message-Id: <1053521736.363.39.camel@asa.gascom.net.ru>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.3.3 (Preview Release)
Date: 21 May 2003 12:55:37 +0000
cc: freebsd-questions@freebsd.org
Subject: Re: ipfw rules for low-end server??
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 May 2003 12:55:41 -0000


--=-6PIW8lsLHg4rmftsf6uH
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Wed, 2003-05-21 at 04:10, Andras Kende wrote:
> Hello All,
Hi!

> Have PIII-450, 386Mb FreeBSD 4.8 machine as natd gateway (2 NIC) for arou=
nd
> 100 computers.
You call this low-end? LOL! :)))

> To minimize load on the machine which would be the best options??
>=20
> Should I use ipfw "dynamic" or "stateful" rules?
See below...

> Also should set to kernel with: option IPFIREWALL_VERBOSE for debugging
> purposes if needed
> but disable logging firewall_logging=3DNO at rc.conf ?
>=20
> I want to allow everything to go out, only 22tcp,80tcp 53udp and 25tcp
> (port_forwading) to in...
Actually, you don't need any ipfw rules (except for 1 divert) for such
configuration. Just configure natd, and run it with -d switch. And, as
you see, you should debug only natd, so verbose firewall is unnecessary.
--=20
regards,
Sergey Akifyev <asa@gascom.ru>
JSC Gascom <http://www.gascom.ru>
PGP key available from:
ftp://ftp.gascom.ru/pub/PGP-keys/asa.txt

--=-6PIW8lsLHg4rmftsf6uH
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQA+y3dIbu06QwmNwNsRAtmfAKCKMXH255MsG0VippEXZXJPkKdVCQCfS9xn
j7h9yTdU3nxoH+PwxpjxpLk=
=MoY4
-----END PGP SIGNATURE-----

--=-6PIW8lsLHg4rmftsf6uH--