Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Mar 2016 23:32:31 -0800 (PST)
From:      Don Lewis <truckman@FreeBSD.org>
To:        smithi@nimnet.asn.au
Cc:        feld@FreeBSD.org, julian@FreeBSD.org, freebsd-ipfw@FreeBSD.org, fjwcash@gmail.com
Subject:   Re: ipwf dummynet vs. kernel NAT and firewall rules
Message-ID:  <201603110732.u2B7WVNN017306@gw.catspoiler.org>
In-Reply-To: <20160311151935.N61428@sola.nimnet.asn.au>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 11 Mar, Ian Smith wrote:
> On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote:
>  > On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote:
>  > > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote:
>  > >  > On  9 Mar, Don Lewis wrote:
>  > >  > > On  9 Mar, Don Lewis wrote:
>  > >  > >> On  9 Mar, Don Lewis wrote:
>  > >  > >>> On  9 Mar, Freddie Cash wrote:
>  > >  > >>>> 
>  > >  > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1?
>  > >  > >>> 
>  > >  > >>> Aha, I've got it set to 1.
>  > > 
>  > > I observe that in 99 cases out of 100, the default of 1 is undesired,
>  > > but it's too late to do anything but advise people - thanks Freddie!
> 
>  > Is there any reason why we shouldn't just change the default for
>  > 11-RELEASE?
> 
> Julian fortunately said why more succinctly than I could have :)
> 
> Perhaps we could add to rc.firewall, just as an example where NAT 
> (either in-kernel or natd) is enabled and where it's being setup:
> 
>   ${fwcmd} disable one_pass
> 
> would at least indicate that it's generally the Right Thing To Do in 
> the NAT case, but we have no dummynet examples, let alone the several 
> other overloaded uses of one_pass, so still have to rely on folklore ..
> 
> That said, I've had zero success in offering a patch to rc.firewall, 
> enabling kernel NAT in the 'simple' ruleset .. which Don figured out 
> anyway.
> 
> Oh, and Don: I suppose you noticed that rc.firewall 'simple' ruleset 
> fails to allow any ICMP traffic at all?

Yes, I noticed that.  My local version is fixed.




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?201603110732.u2B7WVNN017306>