--- rc.firewall.1.69	Sun Jun 27 16:43:48 2010
+++ rc.firewall	Sun Jun 27 17:48:15 2010
@@ -142,20 +142,19 @@
 setup_ipv6_mandatory
 
 ############
-# Network Address Translation.  All packets are passed to natd(8)
-# before they encounter your remaining rules.  The firewall rules
-# will then be run again on each packet after translation by natd
-# starting at the rule number following the divert rule.
+# Network Address Translation.  All packets are passed to natd(8) or
+# kernel nat before they encounter your remaining rules.  The firewall
+# rules will then be run again on each packet after nat translation
+# starting at the rule number following the divert or nat rule.
 #
-# For ``simple'' firewall type the divert rule should be put to a
+# For ``simple'' firewall type the divert or nat rule is included in a
 # different place to not interfere with address-checking rules.
 #
-case ${firewall_type} in
-[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
+setup_nat () {
 	case ${natd_enable} in
 	[Yy][Ee][Ss])
 		if [ -n "${natd_interface}" ]; then
-			${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
+			${fwcmd} add $1 divert natd ip4 from any to any via ${natd_interface}
 		fi
 		;;
 	esac
@@ -169,11 +168,11 @@
 				firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
 			fi
 			${fwcmd} nat 123 config log ${firewall_nat_flags}
-			${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
+			${fwcmd} add $1 nat 123 ip4 from any to any via ${firewall_nat_interface}
 		fi
 		;;
 	esac
-esac
+}
 
 ############
 # If you just configured ipfw in the kernel as a tool to solve network
@@ -188,6 +187,7 @@
 #
 case ${firewall_type} in
 [Oo][Pp][Ee][Nn])
+	setup_nat 50
 	${fwcmd} add 65000 pass all from any to any
 	;;
 
@@ -205,6 +205,8 @@
 	net="$firewall_client_net"
 	net6="$firewall_client_net_ipv6"
 
+	setup_nat 50
+
 	# Allow limited broadcast traffic from my own net.
 	${fwcmd} add pass all from ${net} to 255.255.255.255
 
@@ -245,6 +247,12 @@
 	# Allow NTP queries out in the world
 	${fwcmd} add pass udp from me to any 123 keep-state
 
+	# Allow outbound pings
+	${fwcmd} add pass icmp from me to any out icmptypes 8 keep-state
+
+	# Allow essential ICMP: unreachable, source quench, TTL exceeded
+	${fwcmd} add pass icmp from any to any icmptypes 3,4,11
+
 	# Everything else is denied by default, unless the
 	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
 	# config file.
@@ -311,13 +319,7 @@
 	# translated by natd(8) would match the `deny' rule above.  Similarly
 	# an outgoing packet originated from it before being translated would
 	# match the `deny' rule below.
-	case ${natd_enable} in
-	[Yy][Ee][Ss])
-		if [ -n "${natd_interface}" ]; then
-			${fwcmd} add divert natd ip4 from any to any via ${natd_interface}
-		fi
-		;;
-	esac
+	setup_nat
 
 	# Stop RFC1918 nets on the outside interface
 	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
@@ -414,6 +416,12 @@
 
 	# Allow NTP queries out in the world
 	${fwcmd} add pass udp from me to any 123 keep-state
+
+	# Allow outbound pings from our net
+	${fwcmd} add pass icmp from any to any out icmptypes 8 keep-state
+
+	# Allow essential ICMP: unreachable, source quench, TTL exceeded
+	${fwcmd} add pass icmp from any to any icmptypes 3,4,11
 
 	# Everything else is denied by default, unless the
 	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel