Request for policy decision: kernel nat vs/and/or natd
Ian Smith
smithi at nimnet.asn.au
Sat Jan 8 04:02:33 UTC 2011
On Fri, 7 Jan 2011, Brandon Gooch wrote:
> On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith <smithi at nimnet.asn.au> wrote:
> > Folks,
> >
> > [ If someone implements an /etc/rc.d/ipfw reload command that reliably
> > works over a remote session without any open firewall window, great, but
> > I'd rather not discuss the related issues below in reponses to any PR ]
> >
> > In order to address issues (and PRs) introduced by and since adding
> > kernel nat and more recently firewall_coscripts, before offering any
> > code it's clearly necessary to determine policy for what we should do
> > when both natd_enable and firewall_nat_enable are set in rc.conf.
> >
> > "Don't do that" is not a policy, people will and already are bumping
> > into this, affecting startup scripts and nat[d] rules in rc.firewall.
> >
> > We could:
> >
> > 1) Preference kernel nat over natd when both are enabled.
>
> I vote for #1.
Thanks. So far, that makes an overwhelming majority of 2 / NIL :)
I see that hrs at freebsd.org has just grabbed two related PRs:
kern/148928: [ipfw] Problem with loading of ipfw NAT rules during system startup
conf/153155: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled
so this seems a good time to work up patches to that effect for review
(/etc/rc.d/ipfw, maybe natd, /etc/rc.firewall) later tonight my time.
> What about the IPFW documentation regarding NAT in the Handbook? Will
> there be an update to the NAT instructions:
>
> http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
That's another can of worms. Personally I think the present page is so
full of deprecation, wrong assumptions and outright errors to be beyond
redemption; I'd like to if not replace it, at least preface it with a
section using rc.firewall out of the box to impliment a minimal initial
firewall to get people going with client | simple | workstation rulesets
using more recent (than documented) rc.conf variables supporting that.
That said, I've never written in SGML and don't consider myself much
good at presentation docs anyway .. so first, some updated scripts.
cheers, Ian
More information about the freebsd-ipfw
mailing list