From owner-freebsd-ipfw@freebsd.org Fri Mar 11 07:32:43 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AA4C3ACC915 for ; Fri, 11 Mar 2016 07:32:43 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 89F59F36; Fri, 11 Mar 2016 07:32:43 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u2B7WVNN017306; Thu, 10 Mar 2016 23:32:35 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603110732.u2B7WVNN017306@gw.catspoiler.org> Date: Thu, 10 Mar 2016 23:32:31 -0800 (PST) From: Don Lewis Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: smithi@nimnet.asn.au cc: feld@FreeBSD.org, julian@FreeBSD.org, freebsd-ipfw@FreeBSD.org, fjwcash@gmail.com In-Reply-To: <20160311151935.N61428@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2016 07:32:43 -0000 On 11 Mar, Ian Smith wrote: > On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote: > > On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote: > > > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > > > > On 9 Mar, Don Lewis wrote: > > > > > On 9 Mar, Don Lewis wrote: > > > > >> On 9 Mar, Don Lewis wrote: > > > > >>> On 9 Mar, Freddie Cash wrote: > > > > >>>> > > > > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? > > > > >>> > > > > >>> Aha, I've got it set to 1. > > > > > > I observe that in 99 cases out of 100, the default of 1 is undesired, > > > but it's too late to do anything but advise people - thanks Freddie! > > > Is there any reason why we shouldn't just change the default for > > 11-RELEASE? > > Julian fortunately said why more succinctly than I could have :) > > Perhaps we could add to rc.firewall, just as an example where NAT > (either in-kernel or natd) is enabled and where it's being setup: > > ${fwcmd} disable one_pass > > would at least indicate that it's generally the Right Thing To Do in > the NAT case, but we have no dummynet examples, let alone the several > other overloaded uses of one_pass, so still have to rely on folklore .. > > That said, I've had zero success in offering a patch to rc.firewall, > enabling kernel NAT in the 'simple' ruleset .. which Don figured out > anyway. > > Oh, and Don: I suppose you noticed that rc.firewall 'simple' ruleset > fails to allow any ICMP traffic at all? Yes, I noticed that. My local version is fixed.