Date: Wed, 18 Dec 1996 12:38:11 -0800 (PST) From: Archie Cobbs <archie@whistle.com> To: owensc@enc.edu (Charles Owens) Cc: sos@freebsd.org, luigi@labinfo.iet.unipi.it, julian@whistle.com, wangel@wgrobez1.remote.louisville.edu, dnex@access.digex.net, current@freebsd.org, stable@freebsd.org Subject: Re: IP masquerading (for a LAN, _not_ PPP) Message-ID: <199612182038.MAA19182@bubba.whistle.com> In-Reply-To: <Pine.FBS.3.93.961218075050.13422A-100000@dingo.its.enc.edu> from Charles Owens at "Dec 18, 96 08:00:23 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> Ok... help me out here: the 'ipfilter' package is _not_ a userland > implementation, right? (just trying to put all of the pieces to gether > here...) > > Why do some folks consider the DIVERT sockets with userland daemon > approach better than other existing options, such as ipfilter? Or, more > directly, why might I not want to user ipfilter to build a firewall for a > large (hundreds of users) LAN? (pssst... not trying to start a war here) It depends on what you're doing... if you're only going to use it, then an integrated, debugged, fully functional kernel level implementation is ideal. If you plan on doing development, debugging, adding custom features, etc., or don't need high performance, then a user land version is probably preferable... at least until you get it all stable and working. The only point I would argue is that putting the filter/translation stuff inside the (user-land) ppp daemon combines the worst of both worlds. Rather than doing this, it would make more sense to separate it out into a standalone process (via divert sockets) so it can be used more generally than just with PPP (cf. subject line of this thread). -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612182038.MAA19182>