Re: [K12OSN] CIPA and Squidguard

[Eric Harrison <eharrison mail mesd k12 or us>]

On Mon, 31 Mar 2003, Ryan Collins wrote:

>Mike Rambo said:
>> Even the consultant we had assisting
>> didn't give ipchains a second thought when he discovered it appeared to
>> support port forwarding similarly to iptables. The thing is, ipchains
>> doesn't work right. Using ipchains brought the system to it's knees in
>> less than two minutes once we redirected all our http traffic to it. I
>> went through this for the better part of a week until our consultant
>> (president of a mid-michigan ISP who was donating time to help us out)
>> came back in and redid the whole thing per the howto and figured out
>> ipchains had been the problem.
>>
>> All this to say that an explicit warning against using ipchains may help
>> out someone else who is tempted to do what we did out of convenience.
>
>Can I ask what issues you were having? We've been using ipchains to
>transparently proxy our network for 2 1/2 years now and haven't had a
>problem (~600 machines, around half active on the net at a time).
>

Are you using a 2.2.x kernel?

ipchains is the native firewall in the 2.2.x kernels.

iptables is the native firewall in the 2.4.x kernels.

The 2.4.x kernels also have an ipchains emulation mode that more-or-less
maps the ipchains behavoir ontop of iptables. This emulation mode is
less efficient than ipchains in the 2.2.x kernels. Depending on what
you are doing, this can really kill performance.

-Eric