Brett Glass wrote:
I'm working with a FreeBSD-based router that's using IPFW for policy
routing, traffic shaping, and transparent proxying and natd for network
address translation. IPFW does these things pretty well (in fact, I
don't know if another firewall, like pf, could even do some of these
things I'm doing with IPFW), but natd is by far the most CPU-intensive
process on the system and is causing it to crumple like a wet towel
under heavy loads. How can I replace just the functionality of natd
without moving to an entirely new firewall? Can I still select which
packets are routed to the NAT engine, and when this occurs during the
processing of the packet?
--Brett Glass
one thing that you need to name sure of is that only the packets that
have potential of being on interest to natd are passed to natd.
i.e. be VERY specific in your natd rules..
ipfw add 1000 divert natd ip from any to any out recv {inner-ineterface}
xmit {outer-interface}.
ipfw add 1001 divert natd ip from any to {inner-interface-address} in
recv {outer-interface}.
don't waste natd's time with packets it doesn't care about.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
