ipwf dummynet vs. kernel NAT and firewall rules

Fri Mar 11 07:32:43 UTC 2016

On 11 Mar, Ian Smith wrote:
> On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote:
>  > On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote:
>  > > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote:
>  > >  > On  9 Mar, Don Lewis wrote:
>  > >  > > On  9 Mar, Don Lewis wrote:
>  > >  > >> On  9 Mar, Don Lewis wrote:
>  > >  > >>> On  9 Mar, Freddie Cash wrote:
>  > >  > >>>> 
>  > >  > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1?
>  > >  > >>> 
>  > >  > >>> Aha, I've got it set to 1.
>  > > 
>  > > I observe that in 99 cases out of 100, the default of 1 is undesired,
>  > > but it's too late to do anything but advise people - thanks Freddie!
> 
>  > Is there any reason why we shouldn't just change the default for
>  > 11-RELEASE?
> 
> Julian fortunately said why more succinctly than I could have :)
> 
> Perhaps we could add to rc.firewall, just as an example where NAT 
> (either in-kernel or natd) is enabled and where it's being setup:
> 
>   ${fwcmd} disable one_pass
> 
> would at least indicate that it's generally the Right Thing To Do in 
> the NAT case, but we have no dummynet examples, let alone the several 
> other overloaded uses of one_pass, so still have to rely on folklore ..
> 
> That said, I've had zero success in offering a patch to rc.firewall, 
> enabling kernel NAT in the 'simple' ruleset .. which Don figured out 
> anyway.
> 
> Oh, and Don: I suppose you noticed that rc.firewall 'simple' ruleset 
> fails to allow any ICMP traffic at all?

Yes, I noticed that.  My local version is fixed.