From owner-freebsd-stable  Fri Oct 12 20:41:41 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.121.12])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2E49737B405; Fri, 12 Oct 2001 20:41:35 -0700 (PDT)
Received: from blossom.cjclark.org (dialup-209.245.143.238.Dial1.SanJose1.Level3.net [209.245.143.238])
	by harrier.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id UAA09621;
	Fri, 12 Oct 2001 20:41:05 -0700 (PDT)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.3) id f9D3e1I07130;
	Fri, 12 Oct 2001 20:40:01 -0700 (PDT)
	(envelope-from cjc)
Date: Fri, 12 Oct 2001 20:39:38 -0700
From: "Crist J. Clark" <cristjc@earthlink.net>
To: "Thomas T. Veldhouse" <veldy@veldy.net>
Cc: David Kelly <dkelly@hiwaay.net>,
	Alfatrion <alfatrion@cybertron.tmfweb.nl>,
	"Maine LOA List Admin (Brent Bailey)" <brentb@loa.com>,
	"Hartmann, O." <ohartman@klima.physik.uni-mainz.de>,
	freebsd-stable@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG
Subject: Re: IPFW or IPFILTER?
Message-ID: <20011012203938.E6274@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <20011012154307.O52936-100000@klima.physik.uni-mainz.de> <003601c15328$db264480$24b4a8c0@pretorian> <3BC700CE.8000201@cybertron.tmfweb.nl> <010001c15331$23f1da00$3028680a@tgt.com> <20011012130628.A11301@grumpy.dyndns.org> <017101c15349$4a413530$3028680a@tgt.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <017101c15349$4a413530$3028680a@tgt.com>; from veldy@veldy.net on Fri, Oct 12, 2001 at 01:11:17PM -0500
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Fri, Oct 12, 2001 at 01:11:17PM -0500, Thomas T. Veldhouse wrote:
> FTP works in passive and active mode using IPNat.
> 
> map dc1 192.168.0.0/24 -> www.xxx.yyy.zzz/32 proxy port ftp ftp/tcp
> map dc1 192.168.0.0/24 -> www.xxx.yyy.zzz/32 portmap tcp/udp 1025:60000

Except when the ftp proxy is panicing the kernel. When non-ftp data
was passed over port 21, up until recently, it could easily crash your
system. One of the nice things about natd(8) is that it takes that
kind of stuff out of the kernel so that kind of failure is not so
dramatic. One of the problems with natd(8) is that there is a fair
performance penalty for talking things out to userspace and back.

Both ipf(8) and ipfw(8) have pros and cons.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message