From owner-freebsd-stable Wed Dec 18 12:39:08 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id MAA25585 for stable-outgoing; Wed, 18 Dec 1996 12:39:08 -0800 (PST) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id MAA25566; Wed, 18 Dec 1996 12:38:53 -0800 (PST) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id MAA03147; Wed, 18 Dec 1996 12:38:16 -0800 (PST) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma003145; Wed Dec 18 12:38:11 1996 Received: (from archie@localhost) by bubba.whistle.com (8.7.5/8.6.12) id MAA19182; Wed, 18 Dec 1996 12:38:11 -0800 (PST) From: Archie Cobbs Message-Id: <199612182038.MAA19182@bubba.whistle.com> Subject: Re: IP masquerading (for a LAN, _not_ PPP) In-Reply-To: from Charles Owens at "Dec 18, 96 08:00:23 am" To: owensc@enc.edu (Charles Owens) Date: Wed, 18 Dec 1996 12:38:11 -0800 (PST) Cc: sos@freebsd.org, luigi@labinfo.iet.unipi.it, julian@whistle.com, wangel@wgrobez1.remote.louisville.edu, dnex@access.digex.net, current@freebsd.org, stable@freebsd.org X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-stable@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Ok... help me out here: the 'ipfilter' package is _not_ a userland > implementation, right? (just trying to put all of the pieces to gether > here...) > > Why do some folks consider the DIVERT sockets with userland daemon > approach better than other existing options, such as ipfilter? Or, more > directly, why might I not want to user ipfilter to build a firewall for a > large (hundreds of users) LAN? (pssst... not trying to start a war here) It depends on what you're doing... if you're only going to use it, then an integrated, debugged, fully functional kernel level implementation is ideal. If you plan on doing development, debugging, adding custom features, etc., or don't need high performance, then a user land version is probably preferable... at least until you get it all stable and working. The only point I would argue is that putting the filter/translation stuff inside the (user-land) ppp daemon combines the worst of both worlds. Rather than doing this, it would make more sense to separate it out into a standalone process (via divert sockets) so it can be used more generally than just with PPP (cf. subject line of this thread). -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com