NATD: net.inet.ip.fw.default_to_accept="1" vs firewall_type="OPEN"

Michael Ross gmx at
Fri Oct 11 03:41:09 UTC 2013

On Fri, 11 Oct 2013 04:38:45 +0200, Chris Stankevitz  
<chrisstankevitz at> wrote:

> Hello,
> Handbook section 31.9 describes the setup of NAT.
> Section 31.9.3 suggests net.inet.ip.fw.default_to_accept="1" "during
> the first attempts to setup a firewall and NAT gateway".
> Section 31.9.5 suggests I "specify a predefined firewall ruleset that
> allows anything in" with firewall_type="OPEN"
> Question: What is the difference between these two configurations (or
> where can I go to learn the difference between the two)?
> Thank you,
> Chris


ipfw always has one default rule, standard is

	65535 deny ip from any to any

If you set net.inet.ip.fw.default_to_accept="1", you get

	65535 allow ip from any to any


Specifing firewall_type="OPEN" gives you an additional rule

	65000 allow ip from any to any

Now, if for example you execute ``ipfw flush'', thus deleting all rules,
this deletes rule 65000, but the default rule stays in effect.
With ...default_to_accept="0" ( standard setting ) you now have disabled  
all network connections and locked yourself out if you're working remote.


More information about the freebsd-questions mailing list