Date: Tue, 30 Apr 2019 17:57:54 +0200 From: Willem Jan Withagen <wjw@digiware.nl> To: freebsd-ipfw <freebsd-ipfw@freebsd.org> Subject: sysctl one_pass setting Message-ID: <1c555346-68ee-2f67-effb-8b3aca607264@digiware.nl>
next in thread | raw e-mail | index | archive | help
Hi, Just a wandering question whilst I was looking into some trouble I could not explain. I noticed some access to a system which I could not really explain, until I noticed that `net.inet.ip.fw.one_pass=0` was not set in the /etc/sysctl file. So things would only go thru the ipfw list once. But since that node was running some nat-s, it did need to have one_pass=1. And packets went thru on the match of the nat rule. Instead they show have been continued. Is there a particular reason not to set one_pass to 0 on default? The way it is now makes things more vunerable if a user forgets to set this. If there are no rules require multile passes it will not increase processing, and if a unknowing user adds a nat rule, he'll be safe from this pitfall. Reading up in 'man ipfw' I actually see any reason to have it set to 1 out of the box. Or am I missing something very essential here? --WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1c555346-68ee-2f67-effb-8b3aca607264>