- 论坛徽章:
- 0
|
利用 FreeBSD 组建安全的网关[原创]
1) NAT could use tremendous amount of CPU power according to the IP addresses it is translating and actual bandwidth, so dose for the network byte order translation. plus cpu has to handle firewall rule sets. in order to achieve a certain performance, the box need heavy CPU power and quite a mount of RAM as packet buffer. Otherwsie the gateway would be slow and become a bottleneck, even dropping packets.
2) it would be better to add another card and put the web server at different ip network (so-called DMZ) with different security rule sets. of course, it will add more burden on that box.
3) squid is a good idea but it could be done with another box. idea of this is that shuting down the nat for all of other boxes on the LAN except the nat for the squid box. So whoever want to browse internet has to point their browsers to the proxy server.
|
|