From owner-freebsd-net@FreeBSD.ORG Tue Oct 27 23:14:35 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 96B65106568B for ; Tue, 27 Oct 2009 23:14:35 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: from hal.rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU [169.229.70.150]) by mx1.freebsd.org (Postfix) with ESMTP id 815C48FC08 for ; Tue, 27 Oct 2009 23:14:35 +0000 (UTC) Received: by hal.rescomp.berkeley.edu (Postfix, from userid 1225) id BFBCF597C97; Tue, 27 Oct 2009 16:14:34 -0700 (PDT) Date: Tue, 27 Oct 2009 16:14:34 -0700 From: Chris Cowart To: remodeler Message-ID: <20091027231434.GC11723@hal.rescomp.berkeley.edu> Mail-Followup-To: remodeler , freebsd-net@freebsd.org References: <20091027224716.M1459@alentogroup.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="96YOpH+ONegL0A3E" Content-Disposition: inline In-Reply-To: <20091027224716.M1459@alentogroup.org> Organization: RSSP-IT, UC Berkeley User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-net@freebsd.org Subject: Re: Port-forwarding with IPFW / natd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2009 23:14:35 -0000 --96YOpH+ONegL0A3E Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable remodeler wrote: > Is there any reason to prefer port-forwarding with ipfw (forward ipaddr) = vs. > natd (-redirect_port), if I am using both subsystems in any case? I see n= atd > uses libalias and an ipfw divert port, so my thought is that the ipfw app= roach > would incur less overhead. Also, the ipfw approach permits a hostname for > resolving where natd requires an IP address. Using natd (or ipfw nat) has the ability to manipulate the IP address and ports of a packet. The fwd capability in ipfw does not modify the layer 3 headers, but instead short-circuits the next-hop logic. Take a look at the fwd description in ipfw(8). I would recommend using the ipfw built-in nat support (search for NAT in ipfw(8)) instead of the old-style divert solution. As I understand it, divert has overhead related to copying the packets to and from userland, which is unnecessary when using the in-kernel implementation. --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --96YOpH+ONegL0A3E Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iQIcBAEBAwAGBQJK537aAAoJEC8b9sM8ejXti/YP/jbvz218pJ4+nHewFJKQL9qL wvVJySRz5Tw1jbFQ96JyNWtdCQphZ8JOKEwnsbVl9lxvNj7kWVLf++uX5BIdjLfE 6NxbKfcBzneANo7//4ddIGa4uG+K5tqO+CSiKfmOV8yt1bToU9va4r9Cnkl8tjKh I1Ddlwm1c2cu38DINN7c8nA6CCwV01Jh9uUrx/xsMHupwfhLGKd0CSUs5LKjSX2Q kyfYeuPTjXbKjeWmDk4SEp0DzfTWQ15BEAyGdMKGMe5Wla10ITaLBs4petgQZzlV WND4BhXCC1aEqE/R6qN+O3OM4bS3A6YKCOPojKwuKCT4xvKiBiOncyWLfA/k9NjJ zbcv7pBjqm/ucDgJxqxo7NAb5DFU1L14HdFMuF03/UCxsNp7+h7fpUMnZ9zfHuo2 JBdBAlMdoyADlAQPJDoiscz+q2e5XqsdPcQ/o6+ZghFZez1HYY2mYz1MMxOAY9BM krnSM69fh6/uR6pildJuNBZ7Jfm7xcZjpKuHOvK6JHiBl0oKbgycwzWs+h9eOTrd 4BWxLawCEHruxKh3dfikea9WdaaBokL2Nkc1GTdtyrCilgJHluRvUpoDfcYIkLuf lPfVSh3AjfLWzxaNoqeai12kGCX++5XLpxEn3GGsZo8qi8wgUuB1J2URCT0OTivW Knf3o+HhOKGKEW2ZHxK2 =jAGS -----END PGP SIGNATURE----- --96YOpH+ONegL0A3E--