Re: Policy NAT, pools etc. Is netfilter for me?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok, just found this in a recent list reply to a similar question:

>ip route add local <address>/<mask> table local dev <interface>

>This way <address>/<mask> will be considered local by the system which will reply to ARP requests for it, actually usable by any local process, but won't appear assigned to <interface> so >chances are that no local process will use it unless told explicitly.

So, it looks like this is a project worth spending lab time on.  I
tested the above on a Debian box under my desk at work and that worked
as far as responding to ARP.


See, here is the "thing" ... the NAT function is the most expensive
operation in my network.  I have one site where I have spent in excess
of $100K for hardware to simply perform outbound NAT functionality.
In most cases I have to buy hardware with a bazillion features I don't
use in order to get the NAT throughput that I do need.  When we got to
the point where we ran out of CPU on Cisco ASA 5550 units, I decided
there had to be a better (and less expensive) way. Even if I have to
spread things over several boxes, it would still come out cheaper than
a $80,000 load balancer or full featured firewall being used for
nothing but NAT. In that segment of the network a fully featured
firewall is overkill as the rule is very simple; NAT all connections
outbound, deny all connections inbound. In dollars per packet, NAT is
more expensive than firewalling, routing, or anything else in the
network.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux