Speaking of rc.firewall ..

[Ian Smith]

I see that both HEAD and RELENG_7 rc.firewall have been updated for in-
kernel NAT functionality, but only for the 'open' and 'client' rulesets.

Is there any (functional) reason that the ${firewall_nat_enable} case is 
not also included in the 'simple' rules, where its different placement 
is determined by being preceded and anteceded by anti-spoofing rules?

I'm also slightly bemused by the lack (still) of any rules to allow any 
ICMP (especially necessary icmptypes for MTU discovery) in 'simple'?

cheers, Ian