Date: Fri, 7 Jan 2011 11:41:29 -0600 From: Brandon Gooch <jamesbrandongooch@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-ipfw@freebsd.org Subject: Re: Request for policy decision: kernel nat vs/and/or natd Message-ID: <AANLkTinXREwAvvSQDtA65je2OdWcDQ9qR8rCh3my_26A@mail.gmail.com> In-Reply-To: <20101223233437.Q27345@sola.nimnet.asn.au> References: <20101223233437.Q27345@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith <smithi@nimnet.asn.au> wrote: > Folks, > > [ If someone implements an /etc/rc.d/ipfw reload command that reliably > works over a remote session without any open firewall window, great, but > I'd rather not discuss the related issues below in reponses to any PR ] > > In order to address issues (and PRs) introduced by and since adding > kernel nat and more recently firewall_coscripts, before offering any > code it's clearly necessary to determine policy for what we should do > when both natd_enable and firewall_nat_enable are set in rc.conf. > > "Don't do that" is not a policy, people will and already are bumping > into this, affecting startup scripts and nat[d] rules in rc.firewall. > > We could: > > 1) Preference kernel nat over natd when both are enabled. I vote for #1. What about the IPFW documentation regarding NAT in the Handbook? Will there be an update to the NAT instructions: http://www.freebsd.org/doc/handbook/firewalls-ipfw.html -Brandon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinXREwAvvSQDtA65je2OdWcDQ9qR8rCh3my_26A>