[ previous ] [ next ] [ threads ]
 From:  Michael Sierchio <kudzu at tenebras dot com>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  Vincent Jardin <vjardin at wanadoo dot fr>, Serge Leschinsky <serge at artlife dot tomsknet dot ru>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] several PPTP client via NAT simultaneously
 Date:  Tue, 01 Jul 2003 13:17:55 -0700
Manuel Kasper wrote:

> It should, but forget about it - about the only reason why I went with
> ipfilter and not ipfw+natd in m0n0wall is precisely natd. It sucks -
> sorry, I can't find any other words to explain it. First of all it is
> awfully slow because it's a userland program, and then there's that
> braindead stuff with the rule order. Have fun with the divert rule

Manuel -

IMO your comments re: natd are out of line.  It isn't slow, there's
no detectable lag for my net4501 firewall between the packets
that are NAT'd and those that aren't.  Yes, ipfw2+dynamic rules+natd
is particularly subtle.  That hasn't stopped me from using
it succesfully.

I use natd + ipfw2 and am completely pleased with it.

As for rule order, this isn't exactly rocket science -- put
accept rules for services on the firewall above the divert
rule(s) (you may have two or more),  most of everything else
belongs after.  If you are using stateful rules + natd, you
need to have a rule which permits all packets from the firewall
external addresses outbound on the external if, immediately after
the divert rule.

My measurements say it isn't "slow" -- that's a cognitive
illusion because you know it's a userland process.