From owner-freebsd-questions  Mon Dec  3  4:34:13 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from axel.truedestiny.net (a185066.upc-a.chello.nl [62.163.185.66])
	by hub.freebsd.org (Postfix) with ESMTP id 4030437B416
	for <freebsd-questions@FreeBSD.ORG>; Mon,  3 Dec 2001 04:34:11 -0800 (PST)
Received: by axel.truedestiny.net (Postfix, from userid 1000)
	id CD9AF49A2A; Mon,  3 Dec 2001 13:34:12 +0100 (CET)
Date: Mon, 3 Dec 2001 13:34:12 +0100
From: Axel Scheepers <axel@axel.truedestiny.net>
To: Thor Legvold <tlegvold@hotmail.com>
Cc: friar_josh@webwarrior.net, freebsd-questions@FreeBSD.ORG
Subject: Re: Firewall rules (ipfw)
Message-ID: <20011203133412.A67078@mars.thuis>
Reply-To: Axel Scheepers <axel@axel.truedestiny.net>
References: <F96pgDidPIOumPx3KoA0001e57b@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <F96pgDidPIOumPx3KoA0001e57b@hotmail.com>; from tlegvold@hotmail.com on Sun, Dec 02, 2001 at 01:57:15PM +0000
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sun, Dec 02, 2001 at 01:57:15PM +0000, Thor Legvold wrote:
> Ok, back to the easy way :-)  My link is more like a T1 speed (well, actualy 
> it's 2Mb/sec) amd the FBSD server is a P3 450 with 128MB RAM, so I think it 
> should be able to handle the traffic. I just figured that removing all 
> non-gre traffic (at very least incoming) would both better security, improve 
> nat/ipfw performance (lower the load) and simplify the ruleset following the 
> nat translation.
What about ipfilter/ipnat combo for this setup ? ipfilter has way better
performance than ipfw (or you should mess up the config) since it doesn't have
to copy packets from kernel to userland. At home (cable) I use it on a 486-33/
16MB. I had natd running for a while but that caused a 100% cpu load when
there was much traffic, now with ipnat it never gets higher then 20% ;-)
Gr,
-- 
Axel Scheepers
UNIX System Administrator

email: axel@axel.truedestiny.net
       ascheepers@vianetworks.nl
http://axel.truedestiny.net/~axel
------------------------------------------
Test-tube babies shouldn't throw stones.
------------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message