From owner-freebsd-questions@FreeBSD.ORG Tue Feb 9 17:16:07 2010 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F4062106568F for ; Tue, 9 Feb 2010 17:16:06 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 677748FC2E for ; Tue, 9 Feb 2010 17:16:06 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o19HFxBu047958 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 9 Feb 2010 17:16:00 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk o19HFxBu047958 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1265735760; bh=W47ZMWxzyJJnOpZWOiJkusXkggJICiZI2Bj9j6JYQSo=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Message-ID:=20<4B71984F.1050609@infracaninophile.co.uk>|Date:=20T ue,=2009=20Feb=202010=2017:15:59=20+0000|From:=20Matthew=20Seaman= 20|Organization:=20Infracaninophi le|User-Agent:=20Mozilla/5.0=20(Macintosh=3B=20U=3B=20Intel=20Mac= 20OS=20X=2010.6=3B=20en-GB=3B=20rv:1.9.1.7)=20Gecko/20100111=20Thu nderbird/3.0.1|MIME-Version:=201.0|To:=20Steve=20Bertrand=20|CC:=20Robert=20Huff=20,=20questio ns@freebsd.org|Subject:=20Re:=20documentation=20about=20enabling=2 0IPFW|References:=20<19313.36357.907425.293700@jerusalem.litteratu s.org>=20<4B718F2A.8060801@ibctech.ca>|In-Reply-To:=20<4B718F2A.80 60801@ibctech.ca>|X-Enigmail-Version:=201.0|Content-Type:=20text/p lain=3B=20charset=3DUTF-8|Content-Transfer-Encoding:=207bit; b=UeMSm3bTnUqpKwKgo+BjDunnUpdTvhhU8FtivIDhrtOKbMfV7wCkT1GunxJFXite8 PPndJA+SsDXbRq2EklgmxL8w14mJkvcfF57deqr3ls/k1CvF6/GqaADNXwzUycK85j 07lLXV+ShcnAyKD3ob+fjmLVqUeGo3zkHhSN/o2I= Message-ID: <4B71984F.1050609@infracaninophile.co.uk> Date: Tue, 09 Feb 2010 17:15:59 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: Steve Bertrand References: <19313.36357.907425.293700@jerusalem.litteratus.org> <4B718F2A.8060801@ibctech.ca> In-Reply-To: <4B718F2A.8060801@ibctech.ca> X-Enigmail-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.95.3 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,SPF_FAIL autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: Robert Huff , questions@freebsd.org Subject: Re: documentation about enabling IPFW X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Feb 2010 17:16:07 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/02/2010 16:36, Steve Bertrand wrote: > Robert Huff wrote: >> Can someone affirmatively verify that this part (30.6.1) of the >> Handbook is correct? Particularly the last sentence. >> Quote: >> >> IPFW is included in the basic FreeBSD install as a >> separate run time loadable module. The system will >> dynamically load the kernel module when the rc.conf >> statement firewall_enable="YES" is used. There is no need >> to compile IPFW into the FreeBSD kernel unless NAT >> functionality is desired. > > Yes, it is correct. > > You can also load during runtime: > > # kldload ipfw.ko That' not really the issue with what the quoted paragraph says. Enabling ipfw functionality by loading a kernel module is not under contention. The question is about ipfw+NAT. That paragraph says you have to compile ipfw into the kernel to use ipfw+NAT, however on a RELENG_8 system (at least) there's a loadable ipfw_nat.ko module. Which very much implies you *don't* need to compile ipfw into the kernel for ipfw+NAT nowadays. I think that last part is out of date for recent releases where 'kernel nat' is supported, but I'd ask again on freebsd-ipfw@ or freebsd-net@ to be certain. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktxmE8ACgkQ8Mjk52CukIxQpQCfdkppTJqzhQyO6GkogHZtj+Yb SfAAn1xAMKrRBWtC3ma/B3kylPlkOUjH =ydlB -----END PGP SIGNATURE-----