Date: Mon, 3 Dec 2001 13:34:12 +0100 From: Axel Scheepers <axel@axel.truedestiny.net> To: Thor Legvold <tlegvold@hotmail.com> Cc: friar_josh@webwarrior.net, freebsd-questions@FreeBSD.ORG Subject: Re: Firewall rules (ipfw) Message-ID: <20011203133412.A67078@mars.thuis> In-Reply-To: <F96pgDidPIOumPx3KoA0001e57b@hotmail.com>; from tlegvold@hotmail.com on Sun, Dec 02, 2001 at 01:57:15PM %2B0000 References: <F96pgDidPIOumPx3KoA0001e57b@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 02, 2001 at 01:57:15PM +0000, Thor Legvold wrote: > Ok, back to the easy way :-) My link is more like a T1 speed (well, actualy > it's 2Mb/sec) amd the FBSD server is a P3 450 with 128MB RAM, so I think it > should be able to handle the traffic. I just figured that removing all > non-gre traffic (at very least incoming) would both better security, improve > nat/ipfw performance (lower the load) and simplify the ruleset following the > nat translation. What about ipfilter/ipnat combo for this setup ? ipfilter has way better performance than ipfw (or you should mess up the config) since it doesn't have to copy packets from kernel to userland. At home (cable) I use it on a 486-33/ 16MB. I had natd running for a while but that caused a 100% cpu load when there was much traffic, now with ipnat it never gets higher then 20% ;-) Gr, -- Axel Scheepers UNIX System Administrator email: axel@axel.truedestiny.net ascheepers@vianetworks.nl http://axel.truedestiny.net/~axel ------------------------------------------ Test-tube babies shouldn't throw stones. ------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011203133412.A67078>