Date: Tue, 29 Dec 1998 09:05:18 -0800 (PST) From: "Eric J. Schwertfeger" <ejs@bfd.com> To: current@FreeBSD.ORG Subject: Re: wanton Atticizing is bad Message-ID: <Pine.BSF.4.05.9812290853110.22573-100000@harlie.bfd.com> In-Reply-To: <199812290121.RAA25987@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Date: Mon, 28 Dec 1998 17:14:01 -0500 > From: Christian Kuhtz <ck@ns1.adsu.bellsouth.com> > Subject: Re: wanton Atticizing is bad > > On Mon, Dec 28, 1998 at 04:04:16PM -0600, Phillip Salzman wrote: > > > You can do that with natd. > > > > That is possible, but not logical. Say you have 2000 > > dialup users attempting to access the web at the same time... all > > coming from different IP addresses -- would you want the packet > > scanning to go at the Cisco, or at the NATd? Its simple to do > > a transparent proxy from the cisco, and does not require too much on > > the squid side (IPFILTER), with less on the router. > > I thought the issue was, given IPFILTER or IPFW, can we do everything with > IPFW that IPFILTER and other kludges did? So that we can start to phase > out IPFILTER. There's two areas that IPFILTER seems to work better than IPFW, and both are NAT-related. The first is that we are seeing problems with large FTP's through natd. I hadn't had the chance to debug this before switching to IPFILTER due to the second reason. natd and SKIP just don't play well together. SKIP marks packets it has seen in the kernel memory copy of the packet, and natd, being a userspace program, doesn't see this marking, so it gets reinjected without the marking, so SKIP rejects the packet on the second pass, because it thinks it's seeing an unencrypted packet from a host that should only be sending encrypted packets. Aside from these two issues, I'd never use IPFILTER as IPFW is more natural, and I feel like I have much more control over what gets NAT'ed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9812290853110.22573-100000>