Manuel Kasper wrote:
> It should, but forget about it - about the only reason why I went with
> ipfilter and not ipfw+natd in m0n0wall is precisely natd. It sucks -
> sorry, I can't find any other words to explain it. First of all it is
> awfully slow because it's a userland program, and then there's that
> braindead stuff with the rule order. Have fun with the divert rule
IMO your comments re: natd are out of line. It isn't slow, there's
no detectable lag for my net4501 firewall between the packets
that are NAT'd and those that aren't. Yes, ipfw2+dynamic rules+natd
is particularly subtle. That hasn't stopped me from using
I use natd + ipfw2 and am completely pleased with it.
As for rule order, this isn't exactly rocket science -- put
accept rules for services on the firewall above the divert
rule(s) (you may have two or more), most of everything else
belongs after. If you are using stateful rules + natd, you
need to have a rule which permits all packets from the firewall
external addresses outbound on the external if, immediately after
the divert rule.
My measurements say it isn't "slow" -- that's a cognitive
illusion because you know it's a userland process.