From owner-freebsd-questions  Thu Jul 25 13:43:29 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F140A37B405
	for <freebsd-questions@FreeBSD.ORG>; Thu, 25 Jul 2002 13:43:25 -0700 (PDT)
Received: from alpha.yumyumyum.org (dsl092-171-091.wdc1.dsl.speakeasy.net [66.92.171.91])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4BF7D43E4A
	for <freebsd-questions@FreeBSD.ORG>; Thu, 25 Jul 2002 13:43:25 -0700 (PDT)
	(envelope-from culverk@yumyumyum.org)
Received: from alpha.yumyumyum.org (localhost [127.0.0.1])
	by alpha.yumyumyum.org (8.12.5/8.12.3) with ESMTP id g6PKh53H014805;
	Thu, 25 Jul 2002 16:43:06 -0400 (EDT)
	(envelope-from culverk@yumyumyum.org)
Received: from localhost (culverk@localhost)
	by alpha.yumyumyum.org (8.12.5/8.12.3/Submit) with ESMTP id g6PKh5Vg014802;
	Thu, 25 Jul 2002 16:43:05 -0400 (EDT)
	(envelope-from culverk@yumyumyum.org)
X-Authentication-Warning: alpha.yumyumyum.org: culverk owned process doing -bs
Date: Thu, 25 Jul 2002 16:43:05 -0400 (EDT)
From: Kenneth Culver <culverk@yumyumyum.org>
To: James West <zerowren@msn.com>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: NAT with Three NICs
In-Reply-To: <F25qQkHqJmvnfaAdNwA000253f6@hotmail.com>
Message-ID: <20020725163849.J13432-100000@alpha.yumyumyum.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

> Now, this is another question I've had:
>
> what's the advantage of the ipfilter package over natd/ipfw?
>
> James
>
>
Well, it's mostly personal prefrence from what I can tell... I like it
because it's rules are easier to read, and it has a lot of nice
monitoring tools that allow you to monitor the firewall state in real
time. Not to mention that the whole thing, nat and firewall, is in the
kernel. With ipfw and natd, packets have to be passed in and out of
userland, causing context switches... This doesn't really cause a big
performance issue for most people though, I've only seen problems on HUGE
configurations.

So basically (my opinion):

ipfilter is easier to configure, easier to see stats for, and keeps
packets in the kernel.

Ken


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message