Subject: Re: getting ipnat working
To: Laine Stump <lainestump@rcn.com>
From: James Wetterau <jwjr@ignition.name.net>
List: current-users
Date: 11/30/1999 22:48:18
Laine Stump says:
> At 07:30 PM 11/30/99 -0500, James Wetterau wrote:
> >Right, and if I tell my machine I want ipfiltering and ipnat'ing by
> >explicitly setting them to "YES" in rc.conf, I think the system should
> >turn ipforwarding on (i.e. do the sysctl for me at boot time), even
...
> At least for ipfilter, it is *very* useful in many cases to have
> ipforwarding off. 
...

Sure, I can see that.

> As far as ipnat, using that in a situation where ipforwarding is off seems
> less likely, but I'm sure somebody will think of a reason given enough time.
> Perhaps a compromise could be to add a note to rc.conf reminding people
> that they need to turn ipforwarding on...

Well, that's the heart of the matter, so it's important to answer it
decisively.  The man pages say:

     Please Note That ipnat is not functional without ipf(8) running.  In ad-
     dition, the following kernel options need to be turned on in order to use
     ipnat: GATEWAY, IPFORWARDING and PFIL_HOOKS.  The sysctl

           ``sysctl net.inet.ip.forwarding''

     will inform you if IPFORWARDING is currently turned on in your kernel.

So, it seems to be that under no circumstances should one not want
IPFORWARDING if one also wants ipnat.  I would agree that if
configuring rc.conf so that ipnat is "YES" can possibly have any
meaning with IPFORWARDING set to 0, then your compromise solution of
adding a comment to manually turn on ipforwarding might make sense.
(And in any case it would be an improvement.)  But as I understand it
the purpose of rc.conf is to enable services at boot time, and ipnat
is not truly enabled unless IPFORWARDING is turned on in the kernel.
Moreover, it would be possible to do so easily from the /etc/rc file in
the "if checkyesno ipnat" section.  So not doing so seems to me to be
a choice to ignore the system administrator's stated configuration
desiderata and require the administrator to take additional steps to
enable that configuration.

Anyway, that's my opinion as a user, I probably haven't much more to
add to the discussion.

All the best,
James Wetterau