From owner-freebsd-stable Wed Dec 18 05:00:09 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id FAA05215 for stable-outgoing; Wed, 18 Dec 1996 05:00:09 -0800 (PST) Received: from itsdsv1.enc.edu (itsdsv1.enc.edu [207.95.42.241]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id FAA05175; Wed, 18 Dec 1996 05:00:00 -0800 (PST) Received: from dingo.its.enc.edu (dingo.its.enc.edu [207.95.222.250]) by itsdsv1.enc.edu (8.7.5/8.7.3) with SMTP id HAA27324; Wed, 18 Dec 1996 07:57:51 -0500 (EST) Date: Wed, 18 Dec 1996 08:00:23 -0500 (EST) From: Charles Owens X-Sender: owensc@dingo.its.enc.edu To: sos@freebsd.org cc: Luigi Rizzo , julian@whistle.com, wangel@wgrobez1.remote.louisville.edu, dnex@access.digex.net, current@freebsd.org, stable@freebsd.org Subject: Re: IP masquerading (for a LAN, _not_ PPP) In-Reply-To: <199612170844.JAA18610@ravenock.cybercity.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by freefall.freebsd.org id FAA05209 Sender: owner-stable@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 17 Dec 1996 sos@freebsd.org wrote: > In reply to Luigi Rizzo who wrote: > > > FreeBSD 2.2 includes the feature "DIVERT SOCKETS" > > > these can be used in conjunction with the ipfw code to > > > create a translation feature. > > > > > > Use the 'divert' keyword with the Ipfw to divert a packet to > > > a 'divert socket' that is openned by the translation daemon. > > > the daemon monitors incoming packets and 'fiddles' the headers > > > accordingly. > > > > isn't it a bit expensive ? I mean, do all the packet go to userland > > where the daemon modifies them and then back to the kernel ? If this is > > the situation, it sounds like a significant overhead per packet, so you > > only want to do it at the slow side of a router. > > Exactly, thats why I did it in the kernel :) > I've mesured the overhead long ago when I started this, and on my > rusty old 25Mhz 386SX this works just dandy with 10MBps and > multiple connections with kernel resident code. I tried a > couple of simple attempts on a userland implementation, but > it bailed out on ~100Kbps... > (And for those wanting it, its not releasable, sorry) > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Søren Schmidt (sos@FreeBSD.org) FreeBSD Core Team > Even more code to hack -- will it ever end Ok... help me out here: the 'ipfilter' package is _not_ a userland implementation, right? (just trying to put all of the pieces to gether here...) Why do some folks consider the DIVERT sockets with userland daemon approach better than other existing options, such as ipfilter? Or, more directly, why might I not want to user ipfilter to build a firewall for a large (hundreds of users) LAN? (pssst... not trying to start a war here) I'm trying to discern which of the available options makes the most sense for me... at this instant ipfilter seems the best bet --- feature rich and good performance (I'm assuming... by virtue of it's kernel implementation... any testimonials?). I'd use the ipfw package but I really need NAT. If this should be moved out of -stable and -current then... sorry... :-) Thanks, --- ------------------------------------------------------------------------- Charles Owens Email: owensc@enc.edu "I read somewhere to learn is to Information Technology Services remember... and I've learned that Eastern Nazarene College we've all forgot..." - King's X -------------------------------------------------------------------------