[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: NAT/map rules too primitive ...
From:       Clayton Fiske <clay () bloomcounty ! org>
Date:       2001-04-30 18:07:55
[Download RAW message or body]

On Sat, Apr 28, 2001 at 11:51:08AM +0700, Igor Podlesny wrote:
> 
> > However, I do have one "complaint." I think that the NAT rules are
> > too primitive
> 
> I  do  absolutely  agree.  They are.. and this why, after switching to
> IPNAT I came back to ipfw-NATd pair, still be using ipfilter, though...
> 
> Two things I'd add:
> 
>  1) strange need to specify NAT interface... (map on XXX)... why it is?

I think this is reasonable. It ensures that ipnat only has to bother with
packets on the external interface. No need to check all packets going
through all interfaces.

>  2)  why not to use instead of NIC name its IP-addr, as mentionted IPFW
> does.

Interface is much simpler to deal with. IP addresses can change, while
interface names don't. If you only go by IP, ipnat has to look at
packets on all interfaces (or do a lookup, but that doesn't work if
IPs change). As I mentioned above, no need to bother. It's much more
efficient to only deal with the external interface(s), since you know
all traffic that has to be NAT'd will go through there.

-c

[prev in list] [next in list] [prev in thread] [next in thread]