Date: Fri, 11 Mar 2016 15:46:41 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Mark Felder <feld@FreeBSD.org> Cc: Don Lewis <truckman@FreeBSD.org>, Julian Elischer <julian@FreeBSD.org>, freebsd-ipfw@FreeBSD.org, fjwcash@gmail.com Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules Message-ID: <20160311151935.N61428@sola.nimnet.asn.au> In-Reply-To: <1457638541.445340.545617522.5FF4A6BE@webmail.messagingengine.com> References: <201603092302.u29N2IYm012240@gw.catspoiler.org> <20160310165323.U61428@sola.nimnet.asn.au> <1457638541.445340.545617522.5FF4A6BE@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote: > On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote: > > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > > > On 9 Mar, Don Lewis wrote: > > > > On 9 Mar, Don Lewis wrote: > > > >> On 9 Mar, Don Lewis wrote: > > > >>> On 9 Mar, Freddie Cash wrote: > > > >>>> > > > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? > > > >>> > > > >>> Aha, I've got it set to 1. > > > > I observe that in 99 cases out of 100, the default of 1 is undesired, > > but it's too late to do anything but advise people - thanks Freddie! > Is there any reason why we shouldn't just change the default for > 11-RELEASE? Julian fortunately said why more succinctly than I could have :) Perhaps we could add to rc.firewall, just as an example where NAT (either in-kernel or natd) is enabled and where it's being setup: ${fwcmd} disable one_pass would at least indicate that it's generally the Right Thing To Do in the NAT case, but we have no dummynet examples, let alone the several other overloaded uses of one_pass, so still have to rely on folklore .. That said, I've had zero success in offering a patch to rc.firewall, enabling kernel NAT in the 'simple' ruleset .. which Don figured out anyway. Oh, and Don: I suppose you noticed that rc.firewall 'simple' ruleset fails to allow any ICMP traffic at all? cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160311151935.N61428>