documentation about enabling IPFW

Matthew Seaman m.seaman at
Tue Feb 9 17:16:07 UTC 2010

Hash: SHA1

On 09/02/2010 16:36, Steve Bertrand wrote:
> Robert Huff wrote:
>> 	Can someone affirmatively verify that this part (30.6.1) of the
>> Handbook is correct?  Particularly the last sentence.
>> 	Quote:
>> 		IPFW is included in the basic FreeBSD install as a
>> 		separate run time loadable module. The system will
>> 		dynamically load the kernel module when the rc.conf
>> 		statement firewall_enable="YES" is used. There is no need
>> 		to compile IPFW into the FreeBSD kernel unless NAT
>> 		functionality is desired.
> Yes, it is correct.
> You can also load during runtime:
> # kldload ipfw.ko

That' not really the issue with what the quoted paragraph says.
Enabling ipfw functionality by loading a kernel module is not under
contention.  The question is about ipfw+NAT.  That paragraph says you
have to compile ipfw into the kernel to use ipfw+NAT, however on a
RELENG_8 system (at least) there's a loadable ipfw_nat.ko module.
Which very much implies you *don't* need to compile ipfw into the
kernel for ipfw+NAT nowadays.

I think that last part is out of date for recent releases where 'kernel
nat' is supported, but I'd ask again on freebsd-ipfw@ or freebsd-net@ to
be certain.



- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
                                                  Kent, CT11 9PW
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla -


More information about the freebsd-questions mailing list