Date: Fri, 12 Oct 2001 13:11:17 -0500 From: "Thomas T. Veldhouse" <veldy@veldy.net> To: "David Kelly" <dkelly@hiwaay.net> Cc: "Alfatrion" <alfatrion@cybertron.tmfweb.nl>, "Maine LOA List Admin (Brent Bailey)" <brentb@loa.com>, "Hartmann, O." <ohartman@klima.physik.uni-mainz.de>, <freebsd-stable@FreeBSD.ORG>, <freebsd-questions@FreeBSD.ORG> Subject: Re: IPFW or IPFILTER? Message-ID: <017101c15349$4a413530$3028680a@tgt.com> References: <20011012154307.O52936-100000@klima.physik.uni-mainz.de> <003601c15328$db264480$24b4a8c0@pretorian> <3BC700CE.8000201@cybertron.tmfweb.nl> <010001c15331$23f1da00$3028680a@tgt.com> <20011012130628.A11301@grumpy.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
FTP works in passive and active mode using IPNat. map dc1 192.168.0.0/24 -> www.xxx.yyy.zzz/32 proxy port ftp ftp/tcp map dc1 192.168.0.0/24 -> www.xxx.yyy.zzz/32 portmap tcp/udp 1025:60000 Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "David Kelly" <dkelly@hiwaay.net> To: "Thomas T. Veldhouse" <veldy@veldy.net> Cc: "Alfatrion" <alfatrion@cybertron.tmfweb.nl>; "Maine LOA List Admin (Brent Bailey)" <brentb@loa.com>; "Hartmann, O." <ohartman@klima.physik.uni-mainz.de>; <freebsd-stable@FreeBSD.ORG>; <freebsd-questions@FreeBSD.ORG> Sent: Friday, October 12, 2001 1:06 PM Subject: Re: IPFW or IPFILTER? > On Fri, Oct 12, 2001 at 10:18:17AM -0500, Thomas T. Veldhouse wrote: > > ipfw add check-state > > . > > . > > . > > ipfw add pass tcp from any to any via tun0 out keep-state > > > > However, if you plan to use NAT, I highly recommend IPFilter -- it is "in > > kernel", so there is not a transition from kernel -> userland -> kernel. > > Also, natd is quirky and can cause "failed to write back packet" (IIRC) when > > not configured "perfectly". The samples in the /etc/rc.firewall file cause > > this error message. > > So what do you think is wrong with "failed to write back packet" > messages? Only happens when the rules you wrote after the divert rule > blocked the re-written natd'ed packet. Hopefully you do not believe a > natd'ed packet should be passed no matter what? > > The only problem I have with the "failed to write back packet" message > is that it doesn't say enough about why the packet was dropped. Or > details about the packet which was dropped. The best "cure" i've found > is to set natd's logging facility to "security" so both natd and ipfw > log to /var/log/security (default /etc/syslog.conf) placing both what > natd say and ipfw say close enough in one file to connect both views of > the same incident. > > As for the agruments about in-kernel vs user space, I only have 10 users > behind my ipfw/natd P-III 500 MHz on cable modem and everybody is > tickled with the performance. So I run the Distributed.net client > crunching on rc5 to consume the rest of the cpu cycles. Stays about 98% > "nice", maybe only 97% when the cable modem is maxed. > > OTOH I do have a bone to pick with natd. The punch_fw option does not > work with passive ftp. Gives WinX versions of IE hell but the MacOS > version of IE 5 gets thru. Also FreeBSD's fetch fails in passive. Is not > the hottest fire in my kitchen so I haven't delved further. > > -- > David Kelly N4HHE, dkelly@hiwaay.net > ===================================================================== > The human mind ordinarily operates at only ten percent of its > capacity -- the rest is overhead for the operating system. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?017101c15349$4a413530$3028680a>