Quoting Vector <freebsd_at_itpsg.com>: > Several reasons: > > Having it in the kernel improves performance It also avoids at least 2 context switches per packet... one when the packet goes into natd and one when it goes back to the kernel. > > natd chokes on the latest windoze worms and I have implemented some DoS > prevention/worm protection in ipnat but I'm seeing this memory leak without > my improvements there at all. > > If it's in the kernel, ipnat is kept under control when natd would normally > be sucking the CPU dry and preventing things like remote logins, very > slugish updates, etc... > > and others I don't particularly want to go into at the moment. > > vec > Not to mention the syntax for doing things like stateful firewalling is much more sane, and the fact that you can view the firewall state-table in near real-time using ipfstat -t (top style viewing). KenReceived on Thu Oct 09 2003 - 05:04:00 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:24 UTC