From owner-freebsd-security  Thu Nov 22  0:47:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201])
	by hub.freebsd.org (Postfix) with ESMTP id 844EF37B41A
	for <freebsd-security@freebsd.org>; Thu, 22 Nov 2001 00:47:43 -0800 (PST)
Received: from sheldonh (helo=axl.seasidesoftware.co.za)
	by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1)
	id 166pXX-0004kW-00; Thu, 22 Nov 2001 10:48:59 +0200
From: Sheldon Hearn <sheldonh@starjuice.net>
To: "Dave Raven" <dave@raven.za.net>
Cc: freebsd-security@FreeBSD.org
Subject: Re: Best security topology for FreeBSD 
In-reply-to: Your message of "Wed, 21 Nov 2001 19:25:12 +0200."
             <005f01c172b1$7a8503c0$3600a8c0@DAVE> 
Date: Thu, 22 Nov 2001 10:48:59 +0200
Message-ID: <18259.1006418939@axl.seasidesoftware.co.za>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org



On Wed, 21 Nov 2001 19:25:12 +0200, "Dave Raven" wrote:

> With IPFilter this is not so, IPNat runs in the kernel and should be faster.
> If you are planning on large usage I would recommend IPFilter (less load)
> and IPNat.

I'm having trouble with IPFW+natd servicing a high-volume web cluster.
I'm finding that natd hogs just about all available cycles on one of the
two PII CPUs in the box.  The throughput of through the firewall has
also dropped since I migrated from the Linux IPchains monster we had
before.

I'll post my findings in follow-up later this month.

Ciao,
Sheldon.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message