IPFW: rule-based forwarding disabled

If you want to enable IPFW (or load the module) and you get "rule-based forwarding disabled" in dmesg... and you need forwarding, well, that is just too bad. You will need to enable IPFW forwarding support in the kernel.

Yes, you will have to compile a custom FreeBSD kernel.

It's not that awful, actually.

First off, make sure you have the kernel sources (i.e. in /usr/src/sys).

You will be better off if you will run sysinstall beforehand: select "Configure" -> "Distributions" -> "Src" -> select "base" and "sys" and install them.

Right, now you're ready to configure your kernel to support IPFW and forwarding.

cd /usr/src/sys/i386/conf

cp GENERIC NEWKERNEL

vim NEWKERNEL

Here, add the following:

options IPFIREWALL

options IPFIREWALL_VERBOSE

options IPFIREWALL_FORWARD

options IPFIREWALL_VERBOSE_LIMIT=5

options IPFIREWALL_DEFAULT_TO_ACCEPT

options IPDIVERT

Now you should be ready to compile the new kernel:

cd /usr/src

make buildkernel KERNCONF=NEWKERNEL

make installkernel KERNCONF=NEWKERNEL

reboot

Basically, you will now need to explicitly enable IPFW and to point to the location of the file containing its rules. So you can add to your /etc/rc.conf the following:

firewall_enable="YES"

firewall_script="/etc/ipfw.rules"

The command

# ipfw list

will show you which rules are in effect at the moment.

Further reading:

• IPFW
• FreeBSD handbook on building and installing custom kernels
• FreeBSD handbook: if something goes wrong