IPFW with user-ppp's NAT

CyberLeo Kitsana cyberleo at cyberleo.net
Mon Mar 17 10:37:38 UTC 2008

Erik Trulsson wrote:
> On Sun, Mar 16, 2008 at 04:37:18PM +0100, Wojciech Puchar wrote:
>>> Frankly I'm a bit surprised that this hasn't been more widely heralded,
>>> as userland natd is often given as a reason to prefer other firewalls,
>> what's wrong in userland natd?
> Performance.  With userland natd, every packet that passes through natd
> must pass from kernel to userland (causing one context switch) and back
> again (causing another context switch).  This will be slower and use more
> CPU than doing it all inside the kernel, without any context switches.

Online reconfiguration. Userland natd requires a restart (and a loss of 
all nat state information) when you want to change forwarded ports and 
such, whereas the in-kernel NAT engines (in ipf and pf, at least) 
support reconfiguration without flushing state. To a large extent, at least.

Fuzzy love,
Technical Administrator
CyberLeo.Net Webhosting
<CyberLeo at CyberLeo.Net>

Furry Peace! - http://wwww.fur.com/peace/

More information about the freebsd-questions mailing list