Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Dec 1996 13:49:14 -0700 (MST)
From:      Softweyr LLC <softweyr@xmission.com>
To:        owensc@enc.edu (Charles Owens)
Cc:        stable@freebsd.org, questions@freebsd.org
Subject:   Re: IP masquerading (for a LAN, _not_ PPP)
Message-ID:  <199612182049.NAA04880@xmission.xmission.com>
In-Reply-To: <Pine.FBS.3.93.961218075050.13422A-100000@dingo.its.enc.edu> from "Charles Owens" at Dec 18, 96 08:00:23 am
next in thread | previous in thread | raw e-mail | index | archive | help 
Charles Owens recently asked:
> Why do some folks consider the DIVERT sockets with userland daemon
> approach better than other existing options, such as ipfilter?  Or, more
> directly, why might I not want to user ipfilter to build a firewall for a
> large (hundreds of users) LAN?  (pssst... not trying to start a war here) 

Simply because in userland, your filtering/forwarding rules can be
much more complex.  In kernel mode, all of the "options" for filtering
or forwarding packets has to be available to the kernel code; in userland,
the code can go "look up" things as it needs.  If your needs for filter
rules are pretty simple, a user-mode daemon is overkill.


> I'm trying to discern which of the available options makes the most sense
> for me... at this instant ipfilter seems the best bet --- feature rich and
> good performance (I'm assuming... by virtue of it's kernel
> implementation... any testimonials?).  I'd use the ipfw package but I
> really need NAT. 

If ipfilter meets your needs, you probably don't need the overhead of
using divert sockets, yes.  The divert socket mechanism is used for
really complicated things, like creating a log of all traffic bound
for network address 195.194.193.*.  (Yow!)


> If this should be moved out of -stable and -current then... sorry...  :-)

Followups in, and directed to, -questions.

-- 
          "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                       Softweyr LLC
http://www.xmission.com/~softweyr                       softweyr@xmission.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612182049.NAA04880>