Date: Mon, 3 Dec 2001 13:34:12 +0100 From: Axel Scheepers <axel@axel.truedestiny.net> To: Thor Legvold <tlegvold@hotmail.com> Cc: friar_josh@webwarrior.net, freebsd-questions@FreeBSD.ORG Subject: Re: Firewall rules (ipfw) Message-ID: <20011203133412.A67078@mars.thuis> In-Reply-To: <F96pgDidPIOumPx3KoA0001e57b@hotmail.com>; from tlegvold@hotmail.com on Sun, Dec 02, 2001 at 01:57:15PM %2B0000 References: <F96pgDidPIOumPx3KoA0001e57b@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 02, 2001 at 01:57:15PM +0000, Thor Legvold wrote:
> Ok, back to the easy way :-) My link is more like a T1 speed (well, actualy
> it's 2Mb/sec) amd the FBSD server is a P3 450 with 128MB RAM, so I think it
> should be able to handle the traffic. I just figured that removing all
> non-gre traffic (at very least incoming) would both better security, improve
> nat/ipfw performance (lower the load) and simplify the ruleset following the
> nat translation.
What about ipfilter/ipnat combo for this setup ? ipfilter has way better
performance than ipfw (or you should mess up the config) since it doesn't have
to copy packets from kernel to userland. At home (cable) I use it on a 486-33/
16MB. I had natd running for a while but that caused a 100% cpu load when
there was much traffic, now with ipnat it never gets higher then 20% ;-)
Gr,
--
Axel Scheepers
UNIX System Administrator
email: axel@axel.truedestiny.net
ascheepers@vianetworks.nl
http://axel.truedestiny.net/~axel
------------------------------------------
Test-tube babies shouldn't throw stones.
------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011203133412.A67078>