From owner-freebsd-current  Mon Dec 28 14:15:26 1998
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA00776
          for freebsd-current-outgoing; Mon, 28 Dec 1998 14:15:26 -0800 (PST)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from ns1.adsu.bellsouth.com (ns1.adsu.bellsouth.com [205.152.173.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA00771
          for <current@FreeBSD.ORG>; Mon, 28 Dec 1998 14:15:24 -0800 (PST)
          (envelope-from ck@ns1.adsu.bellsouth.com)
Received: (from ck@localhost)
	by ns1.adsu.bellsouth.com (8.9.1a/8.9.1) id RAA07417;
	Mon, 28 Dec 1998 17:14:01 -0500 (EST)
Message-ID: <19981228171401.B1333@ns1.adsu.bellsouth.com>
Date: Mon, 28 Dec 1998 17:14:01 -0500
From: Christian Kuhtz <ck@ns1.adsu.bellsouth.com>
To: Phillip Salzman <psalzman@gamefish.pcola.gulf.net>,
        Brian Feldman <green@unixhelp.org>
Cc: gmarco@giovannelli.it, current@FreeBSD.ORG
Subject: Re: wanton Atticizing is bad
References: <Pine.BSF.4.05.9812280839130.14811-100000@janus.syracuse.net> <Pine.BSF.4.05.9812281601360.13575-100000@gamefish.pcola.gulf.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <Pine.BSF.4.05.9812281601360.13575-100000@gamefish.pcola.gulf.net>; from Phillip Salzman on Mon, Dec 28, 1998 at 04:04:16PM -0600
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, Dec 28, 1998 at 04:04:16PM -0600, Phillip Salzman wrote:
> > You can do that with natd.
> 
> 	That is possible, but not logical.  Say you have 2000
> dialup users attempting to access the web at the same time... all
> coming from different IP addresses -- would you want the packet
> scanning to go at the Cisco, or at the NATd?  Its simple to do 
> a transparent proxy from the cisco, and does not require too much on 
> the squid side (IPFILTER), with less on the router.

I thought the issue was, given IPFILTER or IPFW, can we do everything with 
IPFW that IPFILTER and other kludges did?  So that we can start to phase
out IPFILTER.

Cisco's can't do transparent redirection at the present time.  The do speak
WCCP however.  No, source routing is not an option.

IMHO, we can argue all day long whether we want a FreeBSD or a Cisco in the
datapath.  Knowing both network stacks quite well, I'd vote for a Cisco 
anytime.  But others may not feel the same way (for whatever reason) and
want the FreeBSD box to do it.

Anyone ever done any performance benchmarking on natd/IPFILTER/IPFW?

Cheers,
Chris

-- 
Frisbeetarianism, n.:
    The belief that when you die, your soul goes up on the roof and gets stuck.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message