Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Mar 2016 15:46:41 +1100 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Mark Felder <feld@FreeBSD.org>
Cc:        Don Lewis <truckman@FreeBSD.org>, Julian Elischer <julian@FreeBSD.org>, freebsd-ipfw@FreeBSD.org, fjwcash@gmail.com
Subject:   Re: ipwf dummynet vs. kernel NAT and firewall rules
Message-ID:  <20160311151935.N61428@sola.nimnet.asn.au>
In-Reply-To: <1457638541.445340.545617522.5FF4A6BE@webmail.messagingengine.com>
References:  <201603092302.u29N2IYm012240@gw.catspoiler.org> <20160310165323.U61428@sola.nimnet.asn.au> <1457638541.445340.545617522.5FF4A6BE@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote:
 > On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote:
 > > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote:
 > >  > On  9 Mar, Don Lewis wrote:
 > >  > > On  9 Mar, Don Lewis wrote:
 > >  > >> On  9 Mar, Don Lewis wrote:
 > >  > >>> On  9 Mar, Freddie Cash wrote:
 > >  > >>>> 
 > >  > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1?
 > >  > >>> 
 > >  > >>> Aha, I've got it set to 1.
 > > 
 > > I observe that in 99 cases out of 100, the default of 1 is undesired,
 > > but it's too late to do anything but advise people - thanks Freddie!

 > Is there any reason why we shouldn't just change the default for
 > 11-RELEASE?

Julian fortunately said why more succinctly than I could have :)

Perhaps we could add to rc.firewall, just as an example where NAT 
(either in-kernel or natd) is enabled and where it's being setup:

  ${fwcmd} disable one_pass

would at least indicate that it's generally the Right Thing To Do in 
the NAT case, but we have no dummynet examples, let alone the several 
other overloaded uses of one_pass, so still have to rely on folklore ..

That said, I've had zero success in offering a patch to rc.firewall, 
enabling kernel NAT in the 'simple' ruleset .. which Don figured out 
anyway.

Oh, and Don: I suppose you noticed that rc.firewall 'simple' ruleset 
fails to allow any ICMP traffic at all?

cheers, Ian

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160311151935.N61428>