From owner-freebsd-questions@FreeBSD.ORG Sun Aug 26 08:13:03 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6387E16A50F for ; Sun, 26 Aug 2007 08:13:01 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 85A5413C46C for ; Sun, 26 Aug 2007 08:12:59 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.14.1/8.14.1) with ESMTP id l7Q8Cqps045034; Sun, 26 Aug 2007 09:12:53 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1188115974; bh=l1sgAEzqZvmRLc 7CmeGaY9YHem3lYhtB6/KikqKy2qg=; h=Message-ID:Date:From:Organization: User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To: X-Enigmail-Version:Content-Type:Content-Transfer-Encoding:Cc: Content-Type:Date:From:In-Reply-To:Message-ID:Mime-Version: References:To; b=A45N9Tw0QiLNjX1goS1FJJvnefeW7yx//vXUz/pD3FGp+AuCw e3PF5j6LzkCh1ptiYoI5PjSdfVj+GzJk46fUrC0LPWFgHD8+6LIbfow0mIeiyzfaq8e FQMBcbHxCI1HfDvEel134ywohN6IRUTCcsiezP/pdtjZFhuN+upHSao= Message-ID: <46D13604.1080903@infracaninophile.co.uk> Date: Sun, 26 Aug 2007 09:12:52 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.6 (X11/20070803) MIME-Version: 1.0 To: amin.scg@gmail.com References: <46d0c3a4.22bd720a.5b5c.0594@mx.google.com> In-Reply-To: <46d0c3a4.22bd720a.5b5c.0594@mx.google.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Sun, 26 Aug 2007 09:12:54 +0100 (BST) X-Virus-Scanned: ClamAV 0.91.1/4064/Sun Aug 26 02:30:46 2007 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: Do I need to recompile my standard kernel to enable ipfw? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Aug 2007 08:13:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aminuddin wrote: > Do I need to do the above if I'm not using the NAT function? > I'm using 6.2 release. No. IPFW is available via a loadable kernel module. Just add firewall_enable="YES" to /etc/rc.conf, choose your firewall type from /etc/rc.firewall and add firewall_type="FOO" also to /etc/rc.conf plus write yourself a custom ruleset if you need something other than one of the prepackaged ones. Then reboot and test. However, beware that the default setting without any firewall rules installed is 'block everything via the network', so make sure you've got console access when setting this up. Also, I'd definitely recommend using PF rather than IPFW. Mostly that's personal preference, but I've used both IPFW and PF quite extensively, and IMHO PF blows IPFW out of the water. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG0TYE8Mjk52CukIwRCLdeAJ9L40C893hhFZfoSuPVqIFf7JT17wCeNIKQ fQ0N8JuSM/ikLnCgpucmQGM= =h9ur -----END PGP SIGNATURE-----