From owner-freebsd-stable Fri Oct 12 11:11:29 2001 Delivered-To: freebsd-stable@freebsd.org Received: from veldy.net (veldy-host33.dsl.visi.com [209.98.200.33]) by hub.freebsd.org (Postfix) with ESMTP id 4313D37B408; Fri, 12 Oct 2001 11:11:20 -0700 (PDT) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id 62C15BAC4; Fri, 12 Oct 2001 13:11:18 -0500 (CDT) Message-ID: <017101c15349$4a413530$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "David Kelly" Cc: "Alfatrion" , "Maine LOA List Admin (Brent Bailey)" , "Hartmann, O." , , References: <20011012154307.O52936-100000@klima.physik.uni-mainz.de> <003601c15328$db264480$24b4a8c0@pretorian> <3BC700CE.8000201@cybertron.tmfweb.nl> <010001c15331$23f1da00$3028680a@tgt.com> <20011012130628.A11301@grumpy.dyndns.org> Subject: Re: IPFW or IPFILTER? Date: Fri, 12 Oct 2001 13:11:17 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG FTP works in passive and active mode using IPNat. map dc1 192.168.0.0/24 -> www.xxx.yyy.zzz/32 proxy port ftp ftp/tcp map dc1 192.168.0.0/24 -> www.xxx.yyy.zzz/32 portmap tcp/udp 1025:60000 Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "David Kelly" To: "Thomas T. Veldhouse" Cc: "Alfatrion" ; "Maine LOA List Admin (Brent Bailey)" ; "Hartmann, O." ; ; Sent: Friday, October 12, 2001 1:06 PM Subject: Re: IPFW or IPFILTER? > On Fri, Oct 12, 2001 at 10:18:17AM -0500, Thomas T. Veldhouse wrote: > > ipfw add check-state > > . > > . > > . > > ipfw add pass tcp from any to any via tun0 out keep-state > > > > However, if you plan to use NAT, I highly recommend IPFilter -- it is "in > > kernel", so there is not a transition from kernel -> userland -> kernel. > > Also, natd is quirky and can cause "failed to write back packet" (IIRC) when > > not configured "perfectly". The samples in the /etc/rc.firewall file cause > > this error message. > > So what do you think is wrong with "failed to write back packet" > messages? Only happens when the rules you wrote after the divert rule > blocked the re-written natd'ed packet. Hopefully you do not believe a > natd'ed packet should be passed no matter what? > > The only problem I have with the "failed to write back packet" message > is that it doesn't say enough about why the packet was dropped. Or > details about the packet which was dropped. The best "cure" i've found > is to set natd's logging facility to "security" so both natd and ipfw > log to /var/log/security (default /etc/syslog.conf) placing both what > natd say and ipfw say close enough in one file to connect both views of > the same incident. > > As for the agruments about in-kernel vs user space, I only have 10 users > behind my ipfw/natd P-III 500 MHz on cable modem and everybody is > tickled with the performance. So I run the Distributed.net client > crunching on rc5 to consume the rest of the cpu cycles. Stays about 98% > "nice", maybe only 97% when the cable modem is maxed. > > OTOH I do have a bone to pick with natd. The punch_fw option does not > work with passive ftp. Gives WinX versions of IE hell but the MacOS > version of IE 5 gets thru. Also FreeBSD's fetch fails in passive. Is not > the hottest fire in my kitchen so I haven't delved further. > > -- > David Kelly N4HHE, dkelly@hiwaay.net > ===================================================================== > The human mind ordinarily operates at only ten percent of its > capacity -- the rest is overhead for the operating system. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message