From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 8 04:02:33 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D03601065694 for ; Sat, 8 Jan 2011 04:02:33 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 0F45F8FC14 for ; Sat, 8 Jan 2011 04:02:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p0842UKh050169; Sat, 8 Jan 2011 15:02:30 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 8 Jan 2011 15:02:29 +1100 (EST) From: Ian Smith To: Brandon Gooch In-Reply-To: Message-ID: <20110108141111.A15397@sola.nimnet.asn.au> References: <20101223233437.Q27345@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, hrs@freebsd.org Subject: Re: Request for policy decision: kernel nat vs/and/or natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2011 04:02:33 -0000 On Fri, 7 Jan 2011, Brandon Gooch wrote: > On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith wrote: > > Folks, > > > > [ If someone implements an /etc/rc.d/ipfw reload command that reliably > > works over a remote session without any open firewall window, great, but > > I'd rather not discuss the related issues below in reponses to any PR ] > > > > In order to address issues (and PRs) introduced by and since adding > > kernel nat and more recently firewall_coscripts, before offering any > > code it's clearly necessary to determine policy for what we should do > > when both natd_enable and firewall_nat_enable are set in rc.conf. > > > > "Don't do that" is not a policy, people will and already are bumping > > into this, affecting startup scripts and nat[d] rules in rc.firewall. > > > > We could: > > > > 1) Preference kernel nat over natd when both are enabled. > > I vote for #1. Thanks. So far, that makes an overwhelming majority of 2 / NIL :) I see that hrs@freebsd.org has just grabbed two related PRs: kern/148928: [ipfw] Problem with loading of ipfw NAT rules during system startup conf/153155: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled so this seems a good time to work up patches to that effect for review (/etc/rc.d/ipfw, maybe natd, /etc/rc.firewall) later tonight my time. > What about the IPFW documentation regarding NAT in the Handbook? Will > there be an update to the NAT instructions: > > http://www.freebsd.org/doc/handbook/firewalls-ipfw.html That's another can of worms. Personally I think the present page is so full of deprecation, wrong assumptions and outright errors to be beyond redemption; I'd like to if not replace it, at least preface it with a section using rc.firewall out of the box to impliment a minimal initial firewall to get people going with client | simple | workstation rulesets using more recent (than documented) rc.conf variables supporting that. That said, I've never written in SGML and don't consider myself much good at presentation docs anyway .. so first, some updated scripts. cheers, Ian