On 11 Mar, Ian Smith wrote: > On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote: > > On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote: > > > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > > > > On 9 Mar, Don Lewis wrote: > > > > > On 9 Mar, Don Lewis wrote: > > > > >> On 9 Mar, Don Lewis wrote: > > > > >>> On 9 Mar, Freddie Cash wrote: > > > > >>>> > > > > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? > > > > >>> > > > > >>> Aha, I've got it set to 1. > > > > > > I observe that in 99 cases out of 100, the default of 1 is undesired, > > > but it's too late to do anything but advise people - thanks Freddie! > > > Is there any reason why we shouldn't just change the default for > > 11-RELEASE? > > Julian fortunately said why more succinctly than I could have :) > > Perhaps we could add to rc.firewall, just as an example where NAT > (either in-kernel or natd) is enabled and where it's being setup: > > ${fwcmd} disable one_pass > > would at least indicate that it's generally the Right Thing To Do in > the NAT case, but we have no dummynet examples, let alone the several > other overloaded uses of one_pass, so still have to rely on folklore .. > > That said, I've had zero success in offering a patch to rc.firewall, > enabling kernel NAT in the 'simple' ruleset .. which Don figured out > anyway. > > Oh, and Don: I suppose you noticed that rc.firewall 'simple' ruleset > fails to allow any ICMP traffic at all?
Yes, I noticed that. My local version is fixed. _______________________________________________ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"