From owner-freebsd-ipfw@freebsd.org Fri Mar 11 04:46:47 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE7A6ACAFA2 for ; Fri, 11 Mar 2016 04:46:47 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4E039ED8; Fri, 11 Mar 2016 04:46:46 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u2B4kfGV089254; Fri, 11 Mar 2016 15:46:42 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 11 Mar 2016 15:46:41 +1100 (EST) From: Ian Smith To: Mark Felder cc: Don Lewis , Julian Elischer , freebsd-ipfw@FreeBSD.org, fjwcash@gmail.com Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules In-Reply-To: <1457638541.445340.545617522.5FF4A6BE@webmail.messagingengine.com> Message-ID: <20160311151935.N61428@sola.nimnet.asn.au> References: <201603092302.u29N2IYm012240@gw.catspoiler.org> <20160310165323.U61428@sola.nimnet.asn.au> <1457638541.445340.545617522.5FF4A6BE@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2016 04:46:47 -0000 On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote: > On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote: > > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > > > On 9 Mar, Don Lewis wrote: > > > > On 9 Mar, Don Lewis wrote: > > > >> On 9 Mar, Don Lewis wrote: > > > >>> On 9 Mar, Freddie Cash wrote: > > > >>>> > > > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? > > > >>> > > > >>> Aha, I've got it set to 1. > > > > I observe that in 99 cases out of 100, the default of 1 is undesired, > > but it's too late to do anything but advise people - thanks Freddie! > Is there any reason why we shouldn't just change the default for > 11-RELEASE? Julian fortunately said why more succinctly than I could have :) Perhaps we could add to rc.firewall, just as an example where NAT (either in-kernel or natd) is enabled and where it's being setup: ${fwcmd} disable one_pass would at least indicate that it's generally the Right Thing To Do in the NAT case, but we have no dummynet examples, let alone the several other overloaded uses of one_pass, so still have to rely on folklore .. That said, I've had zero success in offering a patch to rc.firewall, enabling kernel NAT in the 'simple' ruleset .. which Don figured out anyway. Oh, and Don: I suppose you noticed that rc.firewall 'simple' ruleset fails to allow any ICMP traffic at all? cheers, Ian