The IPFW that wouldn't die.

F

filson

Hello everyone.

I'm fiddling a bit about with IPFW on FreeBSD 9.2. In essence, I'd like it not to load prefering PF instead. As I'm pretty new to BSD I've currently come to the understanding that if /etc/defaults/rc.conf contains
Code: 
firewall_enable="NO"
and /etc/rc.conf does not contain
Code: 
firewall_enable="YES"
IPFW should not load at all.

Infact, my rc.conf only contains
Code: 
hostname="BSD"
keymap="uk.dvorak.kbd"
powered_enable="YES"
dumpdev="NO"
zfs_enable="YES"

The remaining lines have been commented out with #

Despite this, at startup the machine will list a ipfw0 device when going through the network cards. If ipfw is queried using ipfw list it'll respond with 65535 deny ip from any to any. Even if i add
Code: 
firewall_enable="NO"
in the /etc/rc.conf and reboot the machine. This is a fairly new installation and to be honest, I didn't get the ipfw0 device till I, at one point, enabled it in rc.conf.
Now it just doesn't want to stay down.

Please help. I have no clue why I can't control the loading of IPFW.

Filson.
 
IPFW has a couple of parts. One is the kernel module, ipfw(4). If that kernel module is not loaded in /boot/loader.conf, ipfw(8) (the command) can't do anything. So... have you edited that file? Have you built a custom kernel?
 
Thank you for your reply. I have not build a custom kernel. /boot/loader.conf did contain a
Code: 
ipfw_load="YES"
command as well as
Code: 
ipdivert_load="YES"

As far as I could see in the FreeBSD book, ipdivert is a kernel option for enabling NAT through IPFW.

I took the liberty of commenting both lines out using #. Maybe that was a bit too overzealous. Does stopping ipdivert from loading mean I can't use NAT in PF?

After a reboot ipfw list now shows
Code: 
ipfw: getsockopt(IP_FW_GET): Protocol not available
That seems to indicate to me that IPFW hasn't loaded. If so, thank you very much for your assistance.

filson.
 
You must log in or register to reply here.
Back
Top