From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 16 10:33:19 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 302DE1065687 for ; Thu, 16 Oct 2008 10:33:19 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id 9422B8FC0C for ; Thu, 16 Oct 2008 10:33:18 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id m9GAXHhL074741 for ; Thu, 16 Oct 2008 21:33:17 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 16 Oct 2008 21:33:16 +1100 (EST) From: Ian Smith To: freebsd-ipfw@freebsd.org Message-ID: <20081016212110.T4254@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Speaking of rc.firewall .. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 10:33:19 -0000 I see that both HEAD and RELENG_7 rc.firewall have been updated for in- kernel NAT functionality, but only for the 'open' and 'client' rulesets. Is there any (functional) reason that the ${firewall_nat_enable} case is not also included in the 'simple' rules, where its different placement is determined by being preceded and anteceded by anti-spoofing rules? I'm also slightly bemused by the lack (still) of any rules to allow any ICMP (especially necessary icmptypes for MTU discovery) in 'simple'? cheers, Ian