From owner-freebsd-questions  Mon Dec  3 11:56:30 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2])
	by hub.freebsd.org (Postfix) with ESMTP id BBB6E37B41A
	for <freebsd-questions@FreeBSD.ORG>; Mon,  3 Dec 2001 11:56:26 -0800 (PST)
Received: from there (213-187-161-69.dd.nextgentel.com [213.187.161.69])
	by mail.broadpark.no (Postfix) with SMTP
	id 933A480D2; Mon,  3 Dec 2001 20:56:25 +0100 (MET)
Content-Type: text/plain;
  charset="iso-8859-1"
From: Kjell <la3sg@sensewave.com>
To: "Thor Legvold" <tlegvold@hotmail.com>
Subject: Re: Firewall rules (ipfw)
Date: Mon, 3 Dec 2001 19:56:35 +0100
X-Mailer: KMail [version 1.3.1]
References: <F86oqciWBXxbT9RVoP80001cf60@hotmail.com>
In-Reply-To: <F86oqciWBXxbT9RVoP80001cf60@hotmail.com>
Cc: freebsd-questions@FreeBSD.ORG
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <20011203195625.933A480D2@mail.broadpark.no>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Monday 03 December 2001 3:18 pm, you wrote:
> Axel wrote:
> >What about ipfilter/ipnat combo for this setup ? ipfilter has way >better
> >performance than ipfw (or you should mess up the config) since it >doesn't
> >have
> >to copy packets from kernel to userland. At home (cable) I use it on a
> >
> > >486-33/
> >
> >16MB. I had natd running for a while but that caused a 100% cpu load >when
> >there was much traffic, now with ipnat it never gets higher then 20% ;->)
>
> I can look into it. I'd kind of like to get ipfw/nat working right since
> I've invested so much time in it - learning a copletely different ruleset
> syntax is not something I look forward to right now. I'd like to just get
> everything up and semi-ok, and then spend time tweaking here and there as I
> have time.  IPF and ipnat would also require a kernel rebuild, which isn't
> difficult or impossible, just more work when I already have little spare
> time.

IPFILTER is part of the GENERIC kernel, so no rebuild is required. You just 
have to enable it in the rc.conf file. I just switched from ipfw to ipfilter, 
and I found ipfilter easier to set up. Using the ipfiler/ipnat combination I 
was able to implement filters I never managed to get working under ipfw.....
mvh from Kjell

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message