Date: Mon, 31 May 1999 19:45:12 +0200 (MET DST) From: Luigi Rizzo <luigi@labinfo.iet.unipi.it> To: dgilbert@velocet.ca (David Gilbert) Cc: net@FreeBSD.ORG Subject: Re: natd question Message-ID: <199905311745.TAA19533@labinfo.iet.unipi.it> In-Reply-To: <14162.59808.260640.720788@trooper.velocet.ca> from "David Gilbert" at May 31, 99 03:57:01 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> Luigi> But i wonder, is there a way to tell NATD to act straight on > Luigi> incoming packets, instead of forcing forwarding on, and having > Luigi> another pass through the firewall and the protocol stack ? > > We realized this pretty early on because our firewall sees a large > amount of traffic (800 or more K/s) only 10-20K/s of which needs > natd. With a standard configuration, natd can consume a large amount > of CPU to accomplish it's task. > > What we do is make natd run on an aliased interface (such that traffic > would not normally go to/from it). Here's the relavant config: yes, i already did that, and in fact at least natd only sees useful pkts now. However there is still a couple of useless passes through the firewall code (once a pkt is diverted, you know what to do with it, no need to do further analysis), plus having forwarding enabled makes me feel a bit uncomfortable... cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) http://www.iet.unipi.it/~luigi/ngc99/ ==== First International Workshop on Networked Group Communication ==== -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905311745.TAA19533>