From owner-freebsd-security  Wed Nov 21  9:44:47 2001
Delivered-To: freebsd-security@freebsd.org
Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107])
	by hub.freebsd.org (Postfix) with ESMTP id 82D6E37B417
	for <security@freebsd.org>; Wed, 21 Nov 2001 09:44:41 -0800 (PST)
Received: from nunetnt2.nunet.local ([192.168.0.10])
	by chaos.evolve.za.net (8.11.6/1.1.3) with ESMTP id fALHicl42632
	for <security@freebsd.org>; Wed, 21 Nov 2001 19:44:39 +0200 (SAST)
	(envelope-from pheonix@area.co.za)
Received: from DAVE (MANDY [192.168.0.54]) by nunetnt2.nunet.local with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
	id XK5HMX1V; Wed, 21 Nov 2001 19:43:19 +0200
Message-ID: <009d01c172b3$cb35d5e0$3600a8c0@DAVE>
From: "Dave Raven" <pheonix@area.co.za>
To: <security@freebsd.org>
References: <20011121183151.B15275@heresy.dreamflow.nl>
Subject: Re: Best security topology for FreeBSD
Date: Wed, 21 Nov 2001 19:41:45 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

This may not be true, but I think that there is far less cpu utilization
with IpFilter
when it comes to rule proccessing.

----- Original Message -----
From: "Bart Matthaei" <bart@dreamflow.nl>
To: "Dave Raven" <dave@raven.za.net>
Cc: <security@freebsd.org>
Sent: Wednesday, November 21, 2001 7:31 PM
Subject: Re: Best security topology for FreeBSD


> On Wed, Nov 21, 2001 at 07:25:12PM +0200, Dave Raven wrote:
> > ipfw runs in the kernel, but NAT runs in userland.
>
> hmm.. bummer :)
>
> > With IPFilter this is not so, IPNat runs in the kernel and should be
> faster.
> > If you are planning on large usage I would recommend IPFilter (less
> load)
> > and IPNat.
>
> I still dont see why ipf would be better when it comes to filtering.
>
> B.
>
> --
> Bart Matthaei                 bart@dreamflow.nl
>
> /* Welcome to my world.. You just live in it */


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message