Date: Fri, 12 Oct 2001 13:06:28 -0500 From: David Kelly <dkelly@hiwaay.net> To: "Thomas T. Veldhouse" <veldy@veldy.net> Cc: Alfatrion <alfatrion@cybertron.tmfweb.nl>, "Maine LOA List Admin (Brent Bailey)" <brentb@loa.com>, "Hartmann, O." <ohartman@klima.physik.uni-mainz.de>, freebsd-stable@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: IPFW or IPFILTER? Message-ID: <20011012130628.A11301@grumpy.dyndns.org> In-Reply-To: <010001c15331$23f1da00$3028680a@tgt.com>; from veldy@veldy.net on Fri, Oct 12, 2001 at 10:18:17AM -0500 References: <20011012154307.O52936-100000@klima.physik.uni-mainz.de> <003601c15328$db264480$24b4a8c0@pretorian> <3BC700CE.8000201@cybertron.tmfweb.nl> <010001c15331$23f1da00$3028680a@tgt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 12, 2001 at 10:18:17AM -0500, Thomas T. Veldhouse wrote: > ipfw add check-state > . > . > . > ipfw add pass tcp from any to any via tun0 out keep-state > > However, if you plan to use NAT, I highly recommend IPFilter -- it is "in > kernel", so there is not a transition from kernel -> userland -> kernel. > Also, natd is quirky and can cause "failed to write back packet" (IIRC) when > not configured "perfectly". The samples in the /etc/rc.firewall file cause > this error message. So what do you think is wrong with "failed to write back packet" messages? Only happens when the rules you wrote after the divert rule blocked the re-written natd'ed packet. Hopefully you do not believe a natd'ed packet should be passed no matter what? The only problem I have with the "failed to write back packet" message is that it doesn't say enough about why the packet was dropped. Or details about the packet which was dropped. The best "cure" i've found is to set natd's logging facility to "security" so both natd and ipfw log to /var/log/security (default /etc/syslog.conf) placing both what natd say and ipfw say close enough in one file to connect both views of the same incident. As for the agruments about in-kernel vs user space, I only have 10 users behind my ipfw/natd P-III 500 MHz on cable modem and everybody is tickled with the performance. So I run the Distributed.net client crunching on rc5 to consume the rest of the cpu cycles. Stays about 98% "nice", maybe only 97% when the cable modem is maxed. OTOH I do have a bone to pick with natd. The punch_fw option does not work with passive ftp. Gives WinX versions of IE hell but the MacOS version of IE 5 gets thru. Also FreeBSD's fetch fails in passive. Is not the hottest fire in my kitchen so I haven't delved further. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011012130628.A11301>