From owner-freebsd-current Tue Dec 29 12:12:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA05729 for freebsd-current-outgoing; Tue, 29 Dec 1998 12:12:04 -0800 (PST) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from spinner.netplex.com.au (spinner.netplex.com.au [202.12.86.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA05707 for ; Tue, 29 Dec 1998 12:11:59 -0800 (PST) (envelope-from peter@netplex.com.au) Received: from spinner.netplex.com.au (peter@localhost [127.0.0.1]) by spinner.netplex.com.au (8.9.1/8.9.1/Netplex) with ESMTP id EAA82011; Wed, 30 Dec 1998 04:11:25 +0800 (WST) (envelope-from peter@spinner.netplex.com.au) Message-Id: <199812292011.EAA82011@spinner.netplex.com.au> X-Mailer: exmh version 2.0.2 2/24/98 To: "Eric J. Schwertfeger" cc: current@FreeBSD.ORG Subject: Re: wanton Atticizing is bad In-reply-to: Your message of "Tue, 29 Dec 1998 09:05:18 PST." Date: Wed, 30 Dec 1998 04:11:24 +0800 From: Peter Wemm Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Eric J. Schwertfeger" wrote: > > > Date: Mon, 28 Dec 1998 17:14:01 -0500 > > From: Christian Kuhtz > > Subject: Re: wanton Atticizing is bad > > > > On Mon, Dec 28, 1998 at 04:04:16PM -0600, Phillip Salzman wrote: > > > > You can do that with natd. > > > > > > That is possible, but not logical. Say you have 2000 > > > dialup users attempting to access the web at the same time... all > > > coming from different IP addresses -- would you want the packet > > > scanning to go at the Cisco, or at the NATd? Its simple to do > > > a transparent proxy from the cisco, and does not require too much on > > > the squid side (IPFILTER), with less on the router. > > > > I thought the issue was, given IPFILTER or IPFW, can we do everything with > > IPFW that IPFILTER and other kludges did? So that we can start to phase > > out IPFILTER. > > There's two areas that IPFILTER seems to work better than IPFW, and both > are NAT-related. I've been discussing this with various folks. What I see as the "best" solution to overcome the problem of a poorly maintained (and old) copy in the tree is to make a port out of it and remove the bulk of the code from the tree. What this gets us: - upgrading to the latest release becomes easier. - getting ipfilter in the src tree was like fitting a square peg into a round hole. It's an unhappy arrangement to say the least. - using a loadable kernel module from the port at startup time gets us pretty much the same functionality as the in-kernel version. - hopefully a clean cutover from the old to the current ipfilter. The only folks directly inconvenienced would be router floppy type people. Of course there will be bumps along the way, but I think this is the best outcome considering that the copy in the tree is getting stale quickly, and leaving the hooks there (or implementing pfil) makes modules the job of the pot a lot easier. Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message