From owner-freebsd-ipfw@freebsd.org  Thu Mar 10 20:34:45 2016
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F21A4ACA211
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Thu, 10 Mar 2016 20:34:45 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "vps1.elischer.org",
 Issuer "CA Cert Signing Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id CF579F33;
 Thu, 10 Mar 2016 20:34:45 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from julian-mbp3.pixel8networks.com
 (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133])
 (authenticated bits=0)
 by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u2AKYgZS087577
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
 Thu, 10 Mar 2016 12:34:43 -0800 (PST)
 (envelope-from julian@freebsd.org)
Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules
To: Mark Felder <feld@FreeBSD.org>, Ian Smith <smithi@nimnet.asn.au>,
 Don Lewis <truckman@freebsd.org>
References: <201603092302.u29N2IYm012240@gw.catspoiler.org>
 <20160310165323.U61428@sola.nimnet.asn.au>
 <1457638541.445340.545617522.5FF4A6BE@webmail.messagingengine.com>
Cc: freebsd-ipfw@freebsd.org, fjwcash@gmail.com
From: Julian Elischer <julian@freebsd.org>
Message-ID: <56E1DA5D.6060006@freebsd.org>
Date: Thu, 10 Mar 2016 12:34:37 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0)
 Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <1457638541.445340.545617522.5FF4A6BE@webmail.messagingengine.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2016 20:34:46 -0000

On 10/03/2016 11:35 AM, Mark Felder wrote:
>
> On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote:
>> On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote:
>>   > On  9 Mar, Don Lewis wrote:
>>   > > On  9 Mar, Don Lewis wrote:
>>   > >> On  9 Mar, Don Lewis wrote:
>>   > >>> On  9 Mar, Freddie Cash wrote:
>>   > >>>>
>>   > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1?
>>   > >>>
>>   > >>> Aha, I've got it set to 1.
>>
>> I observe that in 99 cases out of 100, the default of 1 is undesired,
>> but it's too late to do anything but advise people - thanks Freddie!
>>
> Is there any reason why we shouldn't just change the default for
> 11-RELEASE?

yeah people will kill you.
firewalls don't get rewritten by mergemaster.
>
>