From owner-freebsd-questions Mon Dec 3 13:58:35 2001 Delivered-To: freebsd-questions@freebsd.org Received: from services.webwarrior.net (overlord-host99.dsl.visi.com [209.98.86.99]) by hub.freebsd.org (Postfix) with ESMTP id 3240337B405 for ; Mon, 3 Dec 2001 13:58:32 -0800 (PST) Received: from twincat.vladsempire.net (hutch-1012.hutchtel.net [206.10.69.12]) by services.webwarrior.net (Postfix) with ESMTP id 78AFE23F for ; Mon, 3 Dec 2001 15:58:21 -0600 (CST) Received: by twincat.vladsempire.net (Postfix, from userid 1001) id 9E683385F; Mon, 3 Dec 2001 15:58:26 +0000 (GMT) Date: Mon, 3 Dec 2001 15:58:26 +0000 From: Josh Paetzel To: Kjell Cc: Thor Legvold , freebsd-questions@FreeBSD.ORG Subject: Re: Firewall rules (ipfw) Message-ID: <20011203155826.E446@twincat.vladsempire.net> Mail-Followup-To: Kjell , Thor Legvold , freebsd-questions@FreeBSD.ORG References: <20011203195625.933A480D2@mail.broadpark.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011203195625.933A480D2@mail.broadpark.no>; from la3sg@sensewave.com on Mon, Dec 03, 2001 at 07:56:35PM +0100 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Dec 03, 2001 at 07:56:35PM +0100, Kjell wrote: > On Monday 03 December 2001 3:18 pm, you wrote: > > Axel wrote: > > >What about ipfilter/ipnat combo for this setup ? ipfilter has way >better > > >performance than ipfw (or you should mess up the config) since it >doesn't > > >have > > >to copy packets from kernel to userland. At home (cable) I use it on a > > > > > > >486-33/ > > > > > >16MB. I had natd running for a while but that caused a 100% cpu load >when > > >there was much traffic, now with ipnat it never gets higher then 20% ;->) That sounds like an inefficient ruleset to me. > > > > I can look into it. I'd kind of like to get ipfw/nat working right since > > I've invested so much time in it - learning a copletely different ruleset > > syntax is not something I look forward to right now. I'd like to just get > > everything up and semi-ok, and then spend time tweaking here and there as I > > have time. IPF and ipnat would also require a kernel rebuild, which isn't > > difficult or impossible, just more work when I already have little spare > > time. If you are using ipfw and natd right now then you've already had to add IPFILTER and IPDIVERT to your kernel. > > IPFILTER is part of the GENERIC kernel, so no rebuild is required. You just > have to enable it in the rc.conf file. I just switched from ipfw to ipfilter, > and I found ipfilter easier to set up. Using the ipfiler/ipnat combination I > was able to implement filters I never managed to get working under ipfw..... > mvh from Kjell > ===jpaetzel@twincat ('tty') /home/jpaetzel -> grep IPFILTER /sys/i386/conf/GENERIC ===jpaetzel@twincat ('tty') /home/jpaetzel -> uname -a FreeBSD twincat.vladsempire.net 4.4-STABLE FreeBSD 4.4-STABLE #0: Sat Dec 1 20:59:55 GMT 2001 jpaetzel@twincat.vladsempire.net:/usr/obj/usr/src/sys/TWINCAT i386 IPFILTER has never been in any GENERIC kernel I have ever seen, but I only go back to 2.1.5, and anything before 3.3 is fuzzy. Josh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message