From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 7 17:45:46 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F4A5106564A for ; Fri, 7 Jan 2011 17:45:46 +0000 (UTC) (envelope-from jamesbrandongooch@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id C6F3E8FC16 for ; Fri, 7 Jan 2011 17:45:45 +0000 (UTC) Received: by wwf26 with SMTP id 26so17401073wwf.31 for ; Fri, 07 Jan 2011 09:45:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=BCtzuPH54JOdhRGAOAjalroRye/nDE/U+F+5gT1wsTA=; b=apqeHY+wvH1QzvO+KYV5nG7DGGNZ7CV0ByJsejsJ+RUPOMOpIQxmTdoqiWiILGFSoU 5MFy7I81YAg+mMLpXtnI5FnIgrolH8fj33LjRxtGse9muNJfjZd0DfteatwJ7Y6mEuY6 oSnqzWltPKJO0JXUvzQREm2nB1rz5LoeFNx8A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=MJrFm7XvS5axpXSF5Qxv2xUC2+rNkqZW45ZR4xhmMzeVBWIGCEtL7pqoNfmultCdAq xRX1SPu8T3f3zqDHrbmnyCUFRYO5PN3/vdog69Q4kYiVuPaiSvs/OEGX+nS4OzWvQ+x8 WeTZGsVD3R6gcoa+Zu4I+8yUqRcMW8qhuK8jo= MIME-Version: 1.0 Received: by 10.216.18.194 with SMTP id l44mr1879143wel.87.1294422089310; Fri, 07 Jan 2011 09:41:29 -0800 (PST) Received: by 10.216.36.71 with HTTP; Fri, 7 Jan 2011 09:41:29 -0800 (PST) In-Reply-To: <20101223233437.Q27345@sola.nimnet.asn.au> References: <20101223233437.Q27345@sola.nimnet.asn.au> Date: Fri, 7 Jan 2011 11:41:29 -0600 Message-ID: From: Brandon Gooch To: Ian Smith Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-ipfw@freebsd.org Subject: Re: Request for policy decision: kernel nat vs/and/or natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jan 2011 17:45:46 -0000 On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith wrote: > Folks, > > [ If someone implements an /etc/rc.d/ipfw reload command that reliably > works over a remote session without any open firewall window, great, but > I'd rather not discuss the related issues below in reponses to any PR ] > > In order to address issues (and PRs) introduced by and since adding > kernel nat and more recently firewall_coscripts, before offering any > code it's clearly necessary to determine policy for what we should do > when both natd_enable and firewall_nat_enable are set in rc.conf. > > "Don't do that" is not a policy, people will and already are bumping > into this, affecting startup scripts and nat[d] rules in rc.firewall. > > We could: > > 1) Preference kernel nat over natd when both are enabled. I vote for #1. What about the IPFW documentation regarding NAT in the Handbook? Will there be an update to the NAT instructions: http://www.freebsd.org/doc/handbook/firewalls-ipfw.html -Brandon