From owner-freebsd-questions@FreeBSD.ORG Thu Oct 6 03:23:57 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21C3016A41F for ; Thu, 6 Oct 2005 03:23:57 +0000 (GMT) (envelope-from jhfoo@nexlabs.com) Received: from tin.colossus.net (tin.colossus.net [216.121.224.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id D580C43D45 for ; Thu, 6 Oct 2005 03:23:56 +0000 (GMT) (envelope-from jhfoo@nexlabs.com) Received: from nexpc (243.210-193-15.adsl.qala.com.sg [210.193.15.243]) by tin.colossus.net (8.9.3p2/8.9.3) with SMTP id TAA07597 for ; Wed, 5 Oct 2005 19:25:02 -0700 Message-ID: <005b01c5ca26$54c4d180$c801a8c0@nexpc> From: "Foo Ji-Haw" To: Date: Thu, 6 Oct 2005 11:30:40 +0800 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Missing mention in ipfw in the Handbook X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2005 03:23:57 -0000 For what it's worth, I'd like highlight a key point I think is missing, = in the ipfw section of the Handbook. This has been discussed earlier = with help from this mailing list community. I am just formalising the = documentation. The firewall that comes with the default kernel (at least on the 5.4 = release) comes with forwarding disabled. As a result, if you try to do a = ipfw fwd (or ipfw forward), you will get a getsockopt error. The Handbook (at this time of writing) did not mention the inclusion of: options IPFIREWALL_FORWARD Recompiling the kernel with this thrown in will activate forwarding by = default. I do not know if there is a sysctl parameter which can avoid = the kernel recompile. If there is one, kindly contribute to the = knowledge base (aka mailing list). Hopefully this post will save the next FreeBSDer precious time.