Date: Sat, 8 Jan 2011 15:02:29 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Brandon Gooch <jamesbrandongooch@gmail.com> Cc: freebsd-ipfw@freebsd.org, hrs@freebsd.org Subject: Re: Request for policy decision: kernel nat vs/and/or natd Message-ID: <20110108141111.A15397@sola.nimnet.asn.au> In-Reply-To: <AANLkTinXREwAvvSQDtA65je2OdWcDQ9qR8rCh3my_26A@mail.gmail.com> References: <20101223233437.Q27345@sola.nimnet.asn.au> <AANLkTinXREwAvvSQDtA65je2OdWcDQ9qR8rCh3my_26A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 7 Jan 2011, Brandon Gooch wrote: > On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith <smithi@nimnet.asn.au> wrote: > > Folks, > > > > [ If someone implements an /etc/rc.d/ipfw reload command that reliably > > works over a remote session without any open firewall window, great, but > > I'd rather not discuss the related issues below in reponses to any PR ] > > > > In order to address issues (and PRs) introduced by and since adding > > kernel nat and more recently firewall_coscripts, before offering any > > code it's clearly necessary to determine policy for what we should do > > when both natd_enable and firewall_nat_enable are set in rc.conf. > > > > "Don't do that" is not a policy, people will and already are bumping > > into this, affecting startup scripts and nat[d] rules in rc.firewall. > > > > We could: > > > > 1) Preference kernel nat over natd when both are enabled. > > I vote for #1. Thanks. So far, that makes an overwhelming majority of 2 / NIL :) I see that hrs@freebsd.org has just grabbed two related PRs: kern/148928: [ipfw] Problem with loading of ipfw NAT rules during system startup conf/153155: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled so this seems a good time to work up patches to that effect for review (/etc/rc.d/ipfw, maybe natd, /etc/rc.firewall) later tonight my time. > What about the IPFW documentation regarding NAT in the Handbook? Will > there be an update to the NAT instructions: > > http://www.freebsd.org/doc/handbook/firewalls-ipfw.html That's another can of worms. Personally I think the present page is so full of deprecation, wrong assumptions and outright errors to be beyond redemption; I'd like to if not replace it, at least preface it with a section using rc.firewall out of the box to impliment a minimal initial firewall to get people going with client | simple | workstation rulesets using more recent (than documented) rc.conf variables supporting that. That said, I've never written in SGML and don't consider myself much good at presentation docs anyway .. so first, some updated scripts. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110108141111.A15397>