ipwf dummynet vs. kernel NAT and firewall rules
Don Lewis
truckman at FreeBSD.org
Fri Mar 11 07:32:43 UTC 2016
On 11 Mar, Ian Smith wrote:
> On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote:
> > On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote:
> > > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote:
> > > > On 9 Mar, Don Lewis wrote:
> > > > > On 9 Mar, Don Lewis wrote:
> > > > >> On 9 Mar, Don Lewis wrote:
> > > > >>> On 9 Mar, Freddie Cash wrote:
> > > > >>>>
> > > > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1?
> > > > >>>
> > > > >>> Aha, I've got it set to 1.
> > >
> > > I observe that in 99 cases out of 100, the default of 1 is undesired,
> > > but it's too late to do anything but advise people - thanks Freddie!
>
> > Is there any reason why we shouldn't just change the default for
> > 11-RELEASE?
>
> Julian fortunately said why more succinctly than I could have :)
>
> Perhaps we could add to rc.firewall, just as an example where NAT
> (either in-kernel or natd) is enabled and where it's being setup:
>
> ${fwcmd} disable one_pass
>
> would at least indicate that it's generally the Right Thing To Do in
> the NAT case, but we have no dummynet examples, let alone the several
> other overloaded uses of one_pass, so still have to rely on folklore ..
>
> That said, I've had zero success in offering a patch to rc.firewall,
> enabling kernel NAT in the 'simple' ruleset .. which Don figured out
> anyway.
>
> Oh, and Don: I suppose you noticed that rc.firewall 'simple' ruleset
> fails to allow any ICMP traffic at all?
Yes, I noticed that. My local version is fixed.
More information about the freebsd-ipfw
mailing list