sysctl one_pass setting
Willem Jan Withagen
wjw at digiware.nl
Tue Apr 30 15:58:04 UTC 2019
Hi,
Just a wandering question whilst I was looking into some trouble I could
not explain.
I noticed some access to a system which I could not really explain,
until I noticed that `net.inet.ip.fw.one_pass=0` was not set in the
/etc/sysctl file.
So things would only go thru the ipfw list once. But since that node was
running some nat-s, it did need to have one_pass=1. And packets went
thru on the match of the nat rule. Instead they show have been continued.
Is there a particular reason not to set one_pass to 0 on default?
The way it is now makes things more vunerable if a user forgets to set this.
If there are no rules require multile passes it will not increase
processing, and if a unknowing user adds a nat rule, he'll be safe from
this pitfall.
Reading up in 'man ipfw' I actually see any reason to have it set to 1
out of the box.
Or am I missing something very essential here?
--WjW
More information about the freebsd-ipfw
mailing list