[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Vincent Jardin <vjardin at wanadoo dot fr>
 Cc:  Serge Leschinsky <serge at artlife dot tomsknet dot ru>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] several PPTP client via NAT simultaneously
 Date:  Tue, 1 Jul 2003 21:58:25 +0200 (CEST)
On Tue, 1 Jul 2003, Vincent Jardin wrote:

> What's about natd ? According to the source code, it should support pptp.

It should, but forget about it - about the only reason why I went with
ipfilter and not ipfw+natd in m0n0wall is precisely natd. It sucks -
sorry, I can't find any other words to explain it. First of all it is
awfully slow because it's a userland program, and then there's that
braindead stuff with the rule order. Have fun with the divert rule - NAT
always happens when you don't want it, and it doesn't happen symmetrically
without some really ugly workarounds (like skip rules) - I mean NAT always
happens at the same point (before or after filter rules) for both in- and
outbound packets, and this breaks stateful filtering. Add to the fun
dummynet and IPsec processing...

It might work for simple rulesets, especially if you go without stateful
filtering, but for everything else, I think it's a nightmare (imagine not
being able to handwrite your rulesets, but having to write a generator
which transforms the webGUI-created ruleset into something that works with
ipfw+natd in all cases... *yuck*).

YMMV. ;)

- Manuel