Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Oct 2009 16:14:34 -0700
From:      Chris Cowart <ccowart@rescomp.berkeley.edu>
To:        remodeler <remodeler@alentogroup.org>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Port-forwarding with IPFW / natd
Message-ID:  <20091027231434.GC11723@hal.rescomp.berkeley.edu>
In-Reply-To: <20091027224716.M1459@alentogroup.org>
References:  <20091027224716.M1459@alentogroup.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--96YOpH+ONegL0A3E
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

remodeler wrote:
> Is there any reason to prefer port-forwarding with ipfw (forward ipaddr) =
vs.
> natd (-redirect_port), if I am using both subsystems in any case? I see n=
atd
> uses libalias and an ipfw divert port, so my thought is that the ipfw app=
roach
> would incur less overhead. Also, the ipfw approach permits a hostname for
> resolving where natd requires an IP address.

Using natd (or ipfw nat) has the ability to manipulate the IP address
and ports of a packet. The fwd capability in ipfw does not modify the
layer 3 headers, but instead short-circuits the next-hop logic. Take a
look at the fwd description in ipfw(8).

I would recommend using the ipfw built-in nat support (search for NAT in
ipfw(8)) instead of the old-style divert solution. As I understand it,
divert has overhead related to copying the packets to and from userland,
which is unnecessary when using the in-kernel implementation.

--=20
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley

--96YOpH+ONegL0A3E
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)

iQIcBAEBAwAGBQJK537aAAoJEC8b9sM8ejXti/YP/jbvz218pJ4+nHewFJKQL9qL
wvVJySRz5Tw1jbFQ96JyNWtdCQphZ8JOKEwnsbVl9lxvNj7kWVLf++uX5BIdjLfE
6NxbKfcBzneANo7//4ddIGa4uG+K5tqO+CSiKfmOV8yt1bToU9va4r9Cnkl8tjKh
I1Ddlwm1c2cu38DINN7c8nA6CCwV01Jh9uUrx/xsMHupwfhLGKd0CSUs5LKjSX2Q
kyfYeuPTjXbKjeWmDk4SEp0DzfTWQ15BEAyGdMKGMe5Wla10ITaLBs4petgQZzlV
WND4BhXCC1aEqE/R6qN+O3OM4bS3A6YKCOPojKwuKCT4xvKiBiOncyWLfA/k9NjJ
zbcv7pBjqm/ucDgJxqxo7NAb5DFU1L14HdFMuF03/UCxsNp7+h7fpUMnZ9zfHuo2
JBdBAlMdoyADlAQPJDoiscz+q2e5XqsdPcQ/o6+ZghFZez1HYY2mYz1MMxOAY9BM
krnSM69fh6/uR6pildJuNBZ7Jfm7xcZjpKuHOvK6JHiBl0oKbgycwzWs+h9eOTrd
4BWxLawCEHruxKh3dfikea9WdaaBokL2Nkc1GTdtyrCilgJHluRvUpoDfcYIkLuf
lPfVSh3AjfLWzxaNoqeai12kGCX++5XLpxEn3GGsZo8qi8wgUuB1J2URCT0OTivW
Knf3o+HhOKGKEW2ZHxK2
=jAGS
-----END PGP SIGNATURE-----

--96YOpH+ONegL0A3E--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091027231434.GC11723>