Date: Thu, 22 Nov 2001 02:52:28 -0600 From: Alfred Perlstein <bright@mu.org> To: Sheldon Hearn <sheldonh@starjuice.net> Cc: Dave Raven <dave@raven.za.net>, freebsd-security@FreeBSD.org Subject: Re: Best security topology for FreeBSD Message-ID: <20011122025228.X13393@elvis.mu.org> In-Reply-To: <18259.1006418939@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Thu, Nov 22, 2001 at 10:48:59AM %2B0200 References: <005f01c172b1$7a8503c0$3600a8c0@DAVE> <18259.1006418939@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
* Sheldon Hearn <sheldonh@starjuice.net> [011122 02:47] wrote:
>
>
> On Wed, 21 Nov 2001 19:25:12 +0200, "Dave Raven" wrote:
>
> > With IPFilter this is not so, IPNat runs in the kernel and should be faster.
> > If you are planning on large usage I would recommend IPFilter (less load)
> > and IPNat.
>
> I'm having trouble with IPFW+natd servicing a high-volume web cluster.
> I'm finding that natd hogs just about all available cycles on one of the
> two PII CPUs in the box. The throughput of through the firewall has
> also dropped since I migrated from the Linux IPchains monster we had
> before.
>
> I'll post my findings in follow-up later this month.
natd isn't exactly high performance, there's nothing particularly
bad about it besideds it requiring mulitple copies across the
userspace kernel boundry. Have you taken a look at using ipfilter
and ipnat? It may offer better performance, no promises though.
--
-Alfred Perlstein [alfred@freebsd.org]
'Instead of asking why a piece of software is using "1970s technology,"
start asking why software is ignoring 30 years of accumulated wisdom.'
http://www.morons.org/rants/gpl-harmful.php3
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011122025228.X13393>