Date: Mon, 3 Dec 2001 15:58:26 +0000 From: Josh Paetzel <friar_josh@webwarrior.net> To: Kjell <la3sg@sensewave.com> Cc: Thor Legvold <tlegvold@hotmail.com>, freebsd-questions@FreeBSD.ORG Subject: Re: Firewall rules (ipfw) Message-ID: <20011203155826.E446@twincat.vladsempire.net> In-Reply-To: <20011203195625.933A480D2@mail.broadpark.no>; from la3sg@sensewave.com on Mon, Dec 03, 2001 at 07:56:35PM %2B0100 References: <F86oqciWBXxbT9RVoP80001cf60@hotmail.com> <20011203195625.933A480D2@mail.broadpark.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 03, 2001 at 07:56:35PM +0100, Kjell wrote:
> On Monday 03 December 2001 3:18 pm, you wrote:
> > Axel wrote:
> > >What about ipfilter/ipnat combo for this setup ? ipfilter has way >better
> > >performance than ipfw (or you should mess up the config) since it >doesn't
> > >have
> > >to copy packets from kernel to userland. At home (cable) I use it on a
> > >
> > > >486-33/
> > >
> > >16MB. I had natd running for a while but that caused a 100% cpu load >when
> > >there was much traffic, now with ipnat it never gets higher then 20% ;->)
That sounds like an inefficient ruleset to me.
> >
> > I can look into it. I'd kind of like to get ipfw/nat working right since
> > I've invested so much time in it - learning a copletely different ruleset
> > syntax is not something I look forward to right now. I'd like to just get
> > everything up and semi-ok, and then spend time tweaking here and there as I
> > have time. IPF and ipnat would also require a kernel rebuild, which isn't
> > difficult or impossible, just more work when I already have little spare
> > time.
If you are using ipfw and natd right now then you've already had to
add IPFILTER and IPDIVERT to your kernel.
>
> IPFILTER is part of the GENERIC kernel, so no rebuild is required. You just
> have to enable it in the rc.conf file. I just switched from ipfw to ipfilter,
> and I found ipfilter easier to set up. Using the ipfiler/ipnat combination I
> was able to implement filters I never managed to get working under ipfw.....
> mvh from Kjell
>
===jpaetzel@twincat ('tty') /home/jpaetzel -> grep IPFILTER
/sys/i386/conf/GENERIC
===jpaetzel@twincat ('tty') /home/jpaetzel -> uname -a
FreeBSD twincat.vladsempire.net 4.4-STABLE FreeBSD 4.4-STABLE #0: Sat
Dec 1 20:59:55 GMT 2001
jpaetzel@twincat.vladsempire.net:/usr/obj/usr/src/sys/TWINCAT i386
IPFILTER has never been in any GENERIC kernel I have ever seen, but I
only go back to 2.1.5, and anything before 3.3 is fuzzy.
Josh
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011203155826.E446>